jy-fund-research-report
WarnAudited by ClawScan on May 10, 2026.
Overview
The fund-reporting purpose is coherent, but review is needed because the setup docs include an inconsistent API-key endpoint and the script can write outside its output folder if given a crafted fund identifier.
Before installing, verify the correct GILData MCP endpoint and do not paste your JY_API_KEY into the README’s inconsistent pure.warrenq.com URL unless you have independently confirmed it is authorized. Also avoid using arbitrary fund names containing path characters until the output filename handling is fixed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could paste a financial data API key into a configuration that sends it to an unexpected endpoint, potentially exposing the key or causing the skill to use the wrong service.
The README tells users to attach their JY_API_KEY to a different host and service name than the api.gildata.com / jy-financedata-api endpoint used by the skill documentation and code. This creates an unclear credential boundary.
mcporter config add api-mcp --url "https://pure.warrenq.com/mcpdb/api-mcp?token=你的 JY_API_KEY"
Use only the official, intended GILData endpoint, make the service name match the code, and update metadata/docs so the API-key destination is unambiguous.
A crafted fund identifier could make the script write a Markdown data file outside the intended output folder, overwriting files the user account can access.
A user-supplied fund code or name is used directly in a filesystem path without rejecting slashes, absolute paths, or traversal sequences.
fund_code = sys.argv[1] ... output_file = OUTPUT_DIR / f"{fund_code}_data.md"Restrict fund identifiers to safe characters, reject path separators and absolute paths, and verify the resolved output path stays inside the output directory before writing.
The skill will not work without external tooling, and global CLI installs inherit the trust and update risks of the package source.
The skill relies on installing and running an external global npm CLI. This is central to the stated MCP workflow, but users should notice that it is a runtime dependency.
requires: bins: ["node", "npm", "mcporter", "python3"] ... package: mcporter
Declare the dependency consistently in registry metadata, prefer pinned versions where possible, and install mcporter only from a trusted package source.