Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jy-customer-requirement-analysis
v1.0.0金融投顾智能助理技能。基于客户沟通素材,帮助理财师/投顾经理快速精准理解客户投资需求,输出标准化分析报告(需求痛点、可行性评估、解决方案、产品匹配、潜在需求挖掘)。支持 PDF 导出和 HTML 可视化。使用场景:当用户需要分析客户投资需求、生成投顾分析报告、进行客户画像分析、制定理财方案或匹配金融产品时触发。F...
⭐ 0· 25·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (financial advisory, product matching, PDF/HTML export) align with required binaries (node, npm, mcporter) and use of a financial data MCP service; requesting mcporter to call gildata MCP endpoints is coherent. However the skill's metadata does not declare the external API credential (JY_API_KEY) or the config paths it actually requires, which is inconsistent.
Instruction Scope
SKILL.md explicitly instructs running mcporter commands that call an external financial data service and to add a JY_API_KEY token into mcporter config; it also instructs editing OpenClaw's openclaw.json and restarting the gateway. Directives to modify agent config files and persist MCP token are outside a minimal 'analysis only' scope and increase the security surface.
Install Mechanism
Install uses npm to install the mcporter package (node/npm). This is an expected, standard install mechanism for a CLI dependency; no opaque downloads or extract-from-IP URLs are present in the documented install steps.
Credentials
The runtime instructions require a JY_API_KEY (token for gildata MCP) and will result in that token being embedded in mcporter configuration (and indirectly referenced via MCPORTER_CONFIG in openclaw.json). Yet the skill's declared requires.env and required config paths are empty — a clear mismatch. Storing API tokens in local config files and adding them into agent config increases risk of credential exposure and is not documented in metadata.
Persistence & Privilege
The skill tells users to edit OpenClaw's global/openclaw.json to enable a 'mcporter' entry and to set MCPORTER_CONFIG there, then restart the gateway. That action modifies agent/system config (affecting other skills/tools) rather than staying within the skill's own transient runtime, raising persistence/privilege concerns.
What to consider before installing
This skill is plausibly a legitimate financial-assistant wrapper around the 'mcporter' MCP client, but there are three practical concerns to consider before installing: (1) The SKILL.md requires a JY_API_KEY (gildata token) but the skill metadata does not declare this credential—confirm you are comfortable obtaining and storing that token and verify how/where it will be stored (mcporter config and openclaw.json may contain it in plaintext). (2) The instructions request editing your OpenClaw configuration to enable a separate 'mcporter' entry and setting MCPORTER_CONFIG, which changes agent-wide configuration and can broaden the blast radius if mcporter or its config are compromised. Only proceed if you trust the mcporter package and the gildata service. (3) Verify the npm 'mcporter' package origin and inspect the mcporter config file (~/.mcporter/mcporter.json) after creation to see if sensitive tokens are stored; prefer keeping tokens in a secure secrets store if possible. If you need higher assurance, ask the skill author to (a) declare required env vars/config paths in metadata, (b) avoid instructing edits to global openclaw.json (or provide an opt-in installer), and (c) document how credentials are stored and protected.Like a lobster shell, security has layers — review code before you run it.
latestvk975ar8yx47fw5y4rh4ym0zf05844211
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, npm, mcporter
Install
Install mcporter via npm
npm i -g mcporter