← Back to Skills Marketplace
322
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install yf-stats
Description
Fetches stock data and generates price charts.
Usage Guidance
This skill appears to be what it says: it uses yfinance to fetch public market data and matplotlib to save a PNG chart. Before installing, be aware that: 1) installing requirements will pull packages from PyPI (check package versions/trust); 2) the script performs network calls to Yahoo Finance (ensure network policy/sandboxing is acceptable); 3) it writes chart files to the current working directory; and 4) no credentials are required or requested. If you want extra caution, run it in an isolated environment or inspect/ pin the package versions before installing.
Capability Analysis
Type: OpenClaw Skill
Name: yf-stats
Version: 1.0.0
The skill contains a potential shell command injection vulnerability in SKILL.md, where the {{ticker}} parameter is substituted into a command string without quoting or sanitization. Additionally, yf_scraper.py is vulnerable to a minor path traversal flaw because it uses the unsanitized ticker input to construct the output filename for generated charts (plt.savefig). While these appear to be unintentional security flaws rather than intentional malware, they represent high-risk vulnerabilities that could be exploited to execute arbitrary commands or write files to unintended locations.
Capability Assessment
Purpose & Capability
Name/description match the included files: SKILL.md instructs running yf_scraper.py, requirements list yfinance/pandas/matplotlib, and the script fetches ticker.info/history and optionally saves a PNG chart — all expected for a 'yf-stats' charting tool.
Instruction Scope
SKILL.md gives a narrow, specific runtime command (python3 yf_scraper.py {{ticker}} {{chart_flag}}) and the script only reads the ticker argument, calls yfinance, prints summary info, and optionally writes a chart file. There are no instructions to read unrelated files, environment variables, or send data to unfamiliar endpoints.
Install Mechanism
This is instruction-only (no install spec). A requirements.txt is provided for Python packages; installing those will pull from PyPI (yfinance, pandas, matplotlib). That is proportional to the task but installing third-party packages has normal supply-chain risk — nothing in the package list is surprising for this functionality.
Credentials
The skill declares no required env vars or credentials and the script does not access secrets. It does require network access (yfinance queries Yahoo Finance) and writes a chart PNG to the working directory — both are reasonable for the stated purpose.
Persistence & Privilege
always is false and the skill does not modify agent or system configuration or request persistent privileges. It only writes a local chart file when asked.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install yf-stats - After installation, invoke the skill by name or use
/yf-stats - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of yf-stats.
- Fetches stock data using Yahoo Finance symbols.
- Generates price charts when users request charts, graphs, or trends.
- Simple command interface with support for visual output via a --chart flag.
Metadata
Frequently Asked Questions
What is yf-stats?
Fetches stock data and generates price charts. It is an AI Agent Skill for Claude Code / OpenClaw, with 322 downloads so far.
How do I install yf-stats?
Run "/install yf-stats" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is yf-stats free?
Yes, yf-stats is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does yf-stats support?
yf-stats is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created yf-stats?
It is built and maintained by grayson85 (@grayson85); the current version is v1.0.0.
More Skills