yahooclaw Security Report — Low Risk | ClawSafe

18 /100

yahooclaw

Yahoo Finance API integration for OpenClaw - stock quotes, historical data, technical analysis

YahooClaw is a legitimate stock market data fetching skill with no malicious behavior detected. Minor concerns include documentation inconsistencies and unpinned dependencies.

Skill Nameyahooclaw

Duration47.1s

Enginepi

✓

Safe to install

This skill is safe to use. Consider pinning dependency versions for production deployments. The hardcoded Alpha Vantage key in test files is a public demo key, not an active credential.

Findings 3 items

Severity	Finding	Location
Low	Documentation mentions SQLite but implementation uses in-memory caching Doc Mismatch SKILL.md claims 'Local SQLite database storage (optional caching)' but actual code uses only in-memory Map-based caching in APIManager.js `✅ File Access: Local SQLite database storage (optional caching)` → Update SKILL.md to reflect actual implementation (in-memory caching only) or implement the claimed SQLite feature	`SKILL.md:14`
Low	Dependencies not fully version pinned Supply Chain package.json uses caret ranges allowing minor and patch version updates, which could introduce unexpected changes `"yahoo-finance2": "^2.11.3", "dotenv": "^17.3.1"` → Consider pinning exact versions for production: yahoo-finance2: '2.11.3', dotenv: '17.3.1'	`package.json:18`
Info	Test file contains Alpha Vantage demo API key Sensitive Access test-alpha.js contains hardcoded Alpha Vantage API key '9Z6PTPL7AB5M5DN3' which is a well-known public demo key `apiKey: '9Z6PTPL7AB5M5DN3'` → This is Alpha Vantage's public demo key - safe for testing but should not be confused with active credential theft	`test-alpha.js:10`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	Uses fetch() to yahoo-finance2 and alphavantage.co
Filesystem	`WRITE`	`NONE`	✓ Aligned	SKILL.md claims SQLite storage, but code uses in-memory Map only
Shell	`NONE`	`NONE`	—	No child_process, exec, or shell commands found
Environment	`READ`	`READ`	✓ Aligned	Only reads ALPHA_VANTAGE_API_KEY
Skill Invoke	`NONE`	`NONE`	—	No skill invocation chain detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser automation
Database	`WRITE`	`NONE`	✓ Aligned	Declared SQLite, but only in-memory caching implemented

1 High 13 findings

🔑

High API Key 疑似硬编码凭证

apiKey: '9Z6PTPL7AB5M5DN3'

test-alpha.js:10

🔗

Medium External URL 外部 URL

https://img.shields.io/github/v/tag/leohuang8688/yahooclaw?label=version&color=green

README-CN.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README-CN.md:6

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README-CN.md:6

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/OpenClaw-Skill-blue

README-CN.md:7

🔗

Medium External URL 外部 URL

https://finance.yahoo.com/news/...

README-CN.md:262

🔗

Medium External URL 外部 URL

https://finance.yahoo.com/

README-CN.md:437

🔗

Medium External URL 外部 URL

https://www.alphavantage.co/

README-CN.md:439

🔗

Medium External URL 外部 URL

https://discord.gg/clawd

README-CN.md:449

🔗

Medium External URL 外部 URL

https://www.alphavantage.co/support/#api-key

README.md:59

🔗

Medium External URL 外部 URL

https://docs.openclaw.ai/

SKILL.md:153

🔗

Medium External URL 外部 URL

https://www.alphavantage.co/support/

docs/API-CONFIGURATION.md:281

🔗

Medium External URL 外部 URL

https://www.alphavantage.co/query

src/api/AlphaVantage.js:14

File Tree

22 files · 92.4 KB · 3720 lines

JavaScript 14f · 2012L Markdown 7f · 1671L JSON 1f · 37L

├─ ▾ 📁 docs

│ ├─ 📝 API-CONFIGURATION.md Markdown 286L · 6.2 KB

│ └─ 📝 USAGE-SCENARIOS.md Markdown 373L · 7.5 KB

├─ ▾ 📁 src

│ ├─ ▾ 📁 api

│ │ ├─ 📜 AlphaVantage.js JavaScript 264L · 7.6 KB

│ │ └─ 📜 APIManager.js JavaScript 204L · 4.9 KB

│ ├─ ▾ 📁 modules

│ │ ├─ 📜 History.js JavaScript 113L · 2.4 KB

│ │ ├─ 📜 News.js JavaScript 169L · 4.5 KB

│ │ ├─ 📜 Quote.js JavaScript 81L · 2.3 KB

│ │ ├─ 📜 Technical.js JavaScript 389L · 10.8 KB

│ │ └─ 📜 YahooFinanceAdapter.js JavaScript 177L · 4.0 KB

│ └─ 📜 index.js JavaScript 85L · 2.0 KB

├─ ▾ 📁 test

│ └─ 📜 test-modules.js JavaScript 134L · 3.9 KB

├─ 📜 demo.js JavaScript 45L · 1.4 KB

├─ 📋 package.json JSON 37L · 846 B

├─ 📝 README-CN.md Markdown 453L · 10.9 KB

├─ 📝 README.md Markdown 139L · 3.3 KB

├─ 📝 SECURITY.md Markdown 69L · 1.4 KB

├─ 📝 SKILL.md Markdown 178L · 4.3 KB

├─ 📝 TEST_REPORT.md Markdown 173L · 3.4 KB

├─ 📜 test-alpha.js JavaScript 40L · 1.1 KB

├─ 📜 test-full.js JavaScript 159L · 4.9 KB

├─ 📜 test-integration.js JavaScript 109L · 3.2 KB

└─ 📜 test-tsla.js JavaScript 43L · 1.5 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`yahoo-finance2`	`^2.11.3`	npm	No	Version range allows minor/patch updates
`dotenv`	`^17.3.1`	npm	No	Version range allows minor/patch updates

Security Positives

✓ No eval(), exec(), or child_process usage found

✓ No base64 encoding or obfuscation detected

✓ No credential exfiltration or C2 communication

✓ No reverse shell or remote code execution

✓ All network requests use HTTPS

✓ Input validation implemented in API calls

✓ Error handling is comprehensive

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No hidden functionality discovered

✓ Open source and auditable codebase

✓ Rate limiting implemented in API calls

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives