Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jy-industry-brief
v1.0.0基于 MCP 聚源金融数据库生成指定行业过去24小时内的速报,涵盖简读素材、重要新闻、企业动态及投融资事件,支持 Markdown 和 HTML 格式。
⭐ 0· 72·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's functionality (pulling data from the MCP/Gildata service via mcporter and producing Markdown/HTML/PDF reports) matches the description. However, the registry summary lists no required binaries or credentials while SKILL.md clearly declares dependency on node/npm/mcporter and describes obtaining and using a JY_API_KEY — a metadata mismatch that reduces trust. The included md2pdf.py is consistent with the PDF-export feature.
Instruction Scope
Runtime instructions require running mcporter calls, validating time stamps, and editing local OpenClaw configuration files (openclaw.json) and environment settings. The SKILL.md also mandates reading all reference files before execution. Notably it instructs placing the JY_API_KEY as a token parameter in mcporter config URLs and enabling mcporter in openclaw.json — both involve handling sensitive credentials and changing agent configuration. The instructions do not access unrelated system secrets but do grant the skill broad ability to call the MCP service and instruct the user to modify a local agent config file.
Install Mechanism
The install approach described in SKILL.md is npm install -g mcporter (public npm). This is a typical moderate-risk install (npm packages should be verified). The registry-level metadata (which claimed no install) is inconsistent with the SKILL.md containing an 'install' block. There are no downloads from unknown URLs or shorteners; mcporter and api.gildata.com are the only external endpoints referenced.
Credentials
The skill requires a JY_API_KEY to access MCP/Gildata, but the registry's required-env and primary credential fields are empty — an omission. The instructions also tell the user to embed the JY_API_KEY as a token query parameter in mcporter config URLs and to set MCPORTER_CONFIG in openclaw.json, which would store a path/credential pointer in local config. Requesting a single service API key is proportionate to the stated purpose, but the lack of declared env requirements and the guidance to place tokens directly in config URLs are concerning practices.
Persistence & Privilege
The skill does not request always:true and does not autonomously change other skills. However it explicitly instructs the user to enable the 'mcporter' tool inside OpenClaw (editing openclaw.json) and to restart the gateway. That requires modifying agent-local configuration, which is significant but explained in the docs and consistent with required functionality. Users should be aware they are enabling a third-party connector in their agent environment.
What to consider before installing
What to check before installing/using: 1) Verify the mcporter npm package: check its npm page, maintainer, and code before running npm install -g. 2) Confirm the external API (api.gildata.com) and the JY_API_KEY issuance process are legitimate for your organization; ask for vendor documentation or a homepage (the skill metadata lacks a homepage). 3) Avoid embedding API keys in plain URLs/config files where possible; prefer secrets stored in secure environment variables and scoped, revocable API keys. 4) Be cautious about editing openclaw.json/system agent config and enabling third‑party connectors — understand the MCPORTER_CONFIG path you add and who can read it. 5) Inspect the included md2pdf.py and any packages you install (reportlab for PDF) locally for unwanted behavior. 6) If you need to proceed: create a limited-scope JY_API_KEY (if provider supports it), keep logs/requests visible, and be prepared to revoke the key after testing. 7) If anything about the package origin or owner (homepage, vendor contact) is unclear, treat the skill as untrusted until provenance is established.Like a lobster shell, security has layers — review code before you run it.
latestvk979dcrea9fsprqkebex7aqb91844wce
License
MIT-0
Free to use, modify, and redistribute. No attribution required.