jy-asset-allocation-report

This skill appears to be what it claims (generating reports from gildata via an MCP client), but there are mismatches and omissions you should address before installing: 1) The SKILL.md requires a JY_API_KEY, but the registry metadata does not declare any required credential — verify where and how you will provide the key and whether the platform will protect it. 2) The instructions embed the token into mcporter service URLs which may be saved in local mcporter config — confirm mcporter's storage location and permissions so your key isn't leaked. 3) SKILL.md references additional tools (google-chrome headless, python3/reportlab, fonts, pandoc/xelatex) and suggests saving to ~/Desktop — ensure you have these binaries or are comfortable installing them; they are not declared as required in the registry. 4) Validate the npm package 'mcporter' publisher and version before global install (npm packages can be abused); prefer installing in a controlled environment or container. 5) Consider least-privilege: use a gildata key with minimal scope (if possible) and avoid putting production or high-privilege credentials into unvetted skills. If you can, ask the skill author to: (a) declare JY_API_KEY in requires.env, (b) declare all required system binaries (chrome, python3) or make them optional, and (c) document where mcporter stores credentials and how to remove them. If you cannot verify the mcporter package or the skill author, run this in an isolated environment (VM/container) and do not share high-value credentials.