ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jy-hk-stock-morning-brief

v1.0.0

生成《港股资讯早报》——专业港股市场分析师角色,基于聚源数据 MCP 接口(通过 mcporter 调用)分析前一交易日市场动态、板块个股、公司公告、研报观点、南向资金、行业全景、外围市场等,为早盘投资者提供决策参考。触发词:港股早报、港股资讯早报、HK 早报、港股日报、恒指复盘、港股复盘。Generate HK...

0· 26·0 current·0 all-time
by@jiayinian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill legitimately needs mcporter (to call the MCP service) and node/npm to install it, which aligns with the description. However the shipped runtime is Python (two Python scripts) while required binaries do not list python/python3 — that's an inconsistency. The skill also requires a JY_API_KEY to configure mcporter (described in SKILL.md) but no credential or env var is declared in the metadata.
!
Instruction Scope
Runtime instructions call out to mcporter (mcporter call ...) which matches the stated purpose and the included scripts. Concerns: (1) the SKILL.md and scripts hardcode or recommend writing reports to /home/liust/openclaw/workspace/reports/ and editing ~/.openclaw/openclaw.json (agent config) — both are user-specific/absolute paths that may be incorrect or overwrite local config; (2) fetch_hk_data.py uses subprocess.run(..., shell=True) to construct and execute mcporter commands — if inputs are untrusted this can lead to shell injection; (3) the SKILL.md instructs obtaining a JY_API_KEY via email and embedding it in mcporter config URLs (token in URL) — token handling/storage is not standardized or declared; (4) SKILL.md refers to holiday logic but the included fetch script uses a simplified previous-day routine that does not respect the detailed holiday calendar in references/hk-holidays.md.
Install Mechanism
Install spec is a single npm package (mcporter). Using npm to install mcporter is expected and moderate risk; no arbitrary HTTP downloads or archive extraction are present. The package 'mcporter' should be verified for authenticity before global installation. The skill does not declare or install Python or the PDF libraries the Python scripts may need (weasyprint/markdown/markdown2pdf), so additional manual installs will be required.
!
Credentials
Metadata declares no required env vars, but SKILL.md requires obtaining a JY_API_KEY and adding it to mcporter config URLs to call MCP services. That credential requirement is real but not declared in the skill metadata. The skill asks you to configure mcporter with service URLs containing the token (token embedded in URL) — storing secrets in config files or URLs may be insecure. No other unrelated credentials are requested.
Persistence & Privilege
always:false (normal). The SKILL.md asks you to edit ~/.openclaw/openclaw.json and restart the gateway to add mcporter configuration; modifying the agent's own config is plausible for this skill but is a higher-impact action and should be done carefully (back up config first). The skill does not request global or cross-skill privileges in the metadata.
What to consider before installing
This skill appears to do what it claims (call a market-data MCP via mcporter and produce reports) but has several practical and security issues you should consider before installing: - Verify package authenticity: the install uses npm install -g mcporter. Confirm the mcporter package is the official tool and trust the publisher before installing globally. - Missing runtime declarations: the code is Python but the skill metadata does not list python/python3 or the Python PDF libraries (weasyprint/markdown/markdown2pdf). You will need to install Python and those packages separately. - Credential handling: the skill requires a JY_API_KEY (described in SKILL.md) but does not declare it as a required credential. The instructions embed the token in service URLs (mcporter config add ...?token=YOUR_KEY). Avoid storing secrets in plaintext files/URLs if possible; prefer using a secure secrets store and review where the token will be saved. - Config and paths: SKILL.md asks you to edit ~/.openclaw/openclaw.json and save reports to a hardcoded /home/liust/... path. Back up your OpenClaw config before making changes and update paths to locations appropriate for your environment. - Command-injection risk: the Python fetch script builds shell commands and runs them with shell=True. If you or other components supply untrusted strings to the script, there is a risk of shell injection. Run the scripts in a controlled environment and inspect/validate inputs. If you want to proceed: review the mcporter package, install Python and required libs in a virtual environment, configure mcporter securely (verify where tokens are stored), change hardcoded paths to safe locations, and run the scripts in an isolated or test environment first. If you prefer, request the publisher to: declare python as a required binary, declare the JY_API_KEY requirement in metadata, avoid embedding tokens in URLs, and avoid shell=True by passing arguments as a list to subprocess.run.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e5k2wzk4mgra0z469tk4xgd842fww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm, mcporter

Install

Install mcporter via npmnpm i -g mcporter

Comments