ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jy-chenhui-summary

v1.0.0

基于恒生聚源 MCP 金融数据库生成专业级晨会精华纪要。触发场景:用户要求"晨会总结"、"研报汇总"、"市场观点"、"每日/周度纪要"、"券商观点"、"聚源研报"等。数据源限定为恒生聚源合作券商研报,严禁编造内容。Generate professional morning briefing summaries b...

0· 31·0 current·0 all-time
by@jiayinian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose (generate morning meeting summaries from the GilData/MCP financial DB) matches the actions described: it requires the mcporter client, uses mcporter call to query partner broker reports, and outputs Markdown summaries. Required binaries (node/npm/mcporter) and the mcporter-based workflow are appropriate for this purpose.
!
Instruction Scope
The SKILL.md explicitly instructs the agent/operator to install and run mcporter, configure two services, and run mcporter call commands that will send queries to external endpoints (https://api.gildata.com/...). It also instructs embedding the JY_API_KEY in the service URL passed on the command line (mcporter config add ...?token=你的 JY_API_KEY). That creates practical disclosure risks (shell history, process arguments, logs). The instructions otherwise stay within the stated purpose and do not request unrelated system secrets or files, but the guidance around safe handling of the API key is weak and the skill forbids exposing technical details in outputs while still relying on internal tool names during the workflow.
Install Mechanism
Install is via npm global: `npm install -g mcporter`. This is a standard mechanism (not a raw download URL), but global npm installs require elevated privileges and run third-party code. The npm package 'mcporter' should be reviewed (package owner, repository, integrity) before installing. No archive downloads or obscure URLs are used.
!
Credentials
Registry metadata lists no required env vars or primary credential, yet SKILL.md requires obtaining a JY_API_KEY and configuring mcporter with that token. This metadata omission is an inconsistency: a secret is required in practice but not declared. The JY_API_KEY is proportionate to the skill's purpose, but attention is needed because the instructions show the token passed on the command line (which can leak via history/logs) and stored in mcporter config files — verify how mcporter stores credentials and consider least-privileged/rotating keys.
Persistence & Privilege
The skill is instruction-only (no bundled code) and does not request 'always: true'. It relies on mcporter and on locally stored mcporter config (where the token will reside). It does not attempt to modify other skills or global agent settings. Autonomous invocation is allowed by default but is not combined with broad undeclared credentials here.
What to consider before installing
This skill appears to do what it says (summarize partner broker research via the GilData/MCP service) but review and mitigate a few practical risks before installing: - The SKILL.md requires a JY_API_KEY though the registry metadata does not declare it. Expect to obtain and supply a service API key — this is necessary and proportional, but confirm you are comfortable providing it. - The install uses npm: inspect the 'mcporter' package (npm listing, repository, maintainer, recent downloads) before running `npm install -g mcporter`. Global npm installs run third-party code and may require elevated privileges. - The instructions show adding the token in the URL on the command line (mcporter config add ...?token=...). Avoid pasting secrets directly into shell commands where possible (shell history and process lists can leak them). Prefer secure config options if mcporter supports them, and remove sensitive commands from shell history afterward. - Check how mcporter stores credentials locally (config file path shown in docs) and ensure the config file is protected (file permissions) and you can rotate/revoke keys. Use a least-privilege key and rotate it periodically. - If you need stronger assurance, ask the skill author for: (1) exact mcporter package repository link, (2) confirmation whether mcporter stores tokens encrypted, and (3) an option to supply the key via environment variable or an interactive prompt rather than via command-line URL. If you accept those mitigations and verify the mcporter package origin, the skill's behavior is coherent with its purpose. If you cannot verify the npm package or are uncomfortable with storing/pasting the API key as shown, consider not installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97atr26ye6ca3m1xnw9zfznas843bcn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm, mcporter

Install

Install mcporter via npmnpm i -g mcporter

Comments