ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jy-fund-consistency-analysis

v1.0.0

基于聚源数据库分析基金经理观点与持仓一致性,提供行业配置、投资风格、选股逻辑和风险控制的多维度评分及标准化报告。

0· 67·0 current·0 all-time
by@jiayinian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's functionality (call MCP/Gildata APIs via an mcporter CLI to fetch viewpoints and holdings and produce reports) is coherent with its description. However the registry metadata presented earlier lists no required binaries/env, while SKILL.md (and analyzer_v2.py) require Node/npm/npx and the mcporter CLI—this mismatch should be reconciled.
Instruction Scope
SKILL.md instructs the agent/user to install/enable mcporter, obtain a JY_API_KEY, run mcporter calls, and edit OpenClaw's config to enable mcporter. These steps are within the skill's functional scope but they require modifying OpenClaw config and creating a local .mcporter config containing the token, which increases the skill's reach and persistence.
Install Mechanism
There is no formal install spec in the registry, but SKILL.md recommends 'npm install -g mcporter' and pip install -r requirements.txt. Installing an npm package (mcporter) is moderate-risk until the package/source is verified. analyzer_v2.py also hardcodes a Windows npx path (C:\Program Files\nodejs\npx.cmd), which is brittle and platform-specific.
Credentials
The only external secret required is the JY_API_KEY for the MCP/Gildata API—which is appropriate for this data source. However the instructions place the key inside mcporter config URLs (persisted in ~/.mcporter or C:\Users\...\.mcporter\mcporter.json) and add an MCPORTER_CONFIG env entry to OpenClaw; this stores a token on-disk and in agent config, so users should ensure secure file permissions and trust the mcporter package.
Persistence & Privilege
The skill is not forced (always:false) and can be invoked by the user. It explicitly tells users to enable an external tool (mcporter) in OpenClaw's configuration, which modifies agent settings and increases the agent's toolset—this is functionally required but raises the blast radius if mcporter or its configuration is untrusted.
What to consider before installing
This skill largely does what it says (calls Gildata/MCP APIs via an mcporter CLI and generates reports), but before installing: 1) verify the mcporter npm package and its source on the npm registry (avoid installing unknown global packages blindly); 2) confirm api.gildata.com is the legit data provider you expect; 3) be aware you will need to obtain a JY_API_KEY and the instructions store it inside mcporter's config URL (a local file) — secure that file and consider limiting permissions; 4) the Python script hardcodes a Windows npx path—adjust for your OS; 5) consider running initial tests in an isolated environment (VM/container) to validate behavior; and 6) reconcile the mismatch between the registry metadata (no required binaries) and SKILL.md (requires node/npm/mcporter) before enabling the skill in production.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ah5jwaa8jwhccv5swgyn3r9845tcn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments