jy-fund-research-report

This skill looks coherent with its stated purpose (pull MCP fund data and generate reports) but contains a few red flags you should resolve before installing or running it with real credentials: - Confirm the correct MCP endpoint: SKILL.md uses api.gildata.com, but README shows pure.warrenq.com — ask the author which is authoritative. Do not configure your API key against an endpoint you don't trust. - The skill requires a JY_API_KEY (MCP token) but the manifest does not declare it. Treat the API key as sensitive: do not paste it into public channels. Prefer configuring mcporter locally and inspect its config file to see where the token is stored and which endpoint it points to. - Verify the mcporter npm package provenance before installing (npmjs page, maintainer, recent versions). Consider installing mcporter in a controlled environment or container first and review network calls (e.g., via a proxy) to confirm it only contacts expected MCP hosts. - Because the skill sends the retrieved data to an AI for analysis, decide whether you are comfortable with that data being sent to your agent's model. If you have sensitive data in fund holdings/metadata, consider running fetch_data.py manually, reviewing the saved output files, and only then passing sanitized content to any model. If the author can: (1) update the skill manifest to explicitly list the required JY_API_KEY/primaryEnv, (2) remove or explain the conflicting README endpoint, and (3) provide a homepage or source verification (repository or signed publisher), the concerns would largely be resolved. Until then, run in a sandbox and verify mcporter configuration and network endpoints before providing real credentials.