jy-industry-brief

ReviewAudited by ClawScan on May 10, 2026.

Overview

The visible artifacts coherently generate GILData-backed industry briefings; they require external MCP setup, an API key, and local commands, but show no hidden exfiltration or destructive behavior.

Install this only if you intend to use GILData MCP services. Run npm, mcporter, and OpenClaw configuration changes yourself, protect the JY_API_KEY, and assume industry queries go to GILData. No malicious behavior is evident in the provided artifacts, but review the full SKILL.md before installing because the supplied SKILL.md excerpt was truncated.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing an unpinned global tool can introduce dependency or version risks if the package source is compromised or changes behavior.

Why it was flagged

The skill depends on installing the mcporter npm package, apparently without a pinned version. This is central to the MCP workflow, but users should still trust the package source.

Skill content

requires: bins: ["node", "npm", "mcporter"] ... install ... kind: node ... package: mcporter

Recommendation

Install mcporter only from a trusted npm source, consider pinning or verifying the version, and review updates before use.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Anyone with access to the mcporter configuration may be able to use the GILData API key and associated service access.

Why it was flagged

The setup stores and uses a provider API key in the MCP service URL. This is expected for GILData access, but it is still a sensitive credential.

Skill content

mcporter config add jy-financedata-api --url "https://api.gildata.com/mcp-servers/aidata-assistant-srv-api?token=你的 JY_API_KEY"

Recommendation

Store the JY_API_KEY securely, avoid sharing config files, rotate the key if exposed, and confirm the key has only the access needed.

Low

#ASI02: Tool Misuse and Exploitation

What this means

Once configured, the agent may have access to many GILData MCP tools beyond the specific examples in the report workflow.

Why it was flagged

The instructions enable a broad MCP tool service through mcporter and restart the OpenClaw gateway. This is relevant to the skill's purpose, but expands available tool surface.

Skill content

jy-financedata-api (252+ tools) ... "mcporter": { "enabled": true ... } ... openclaw gateway restart

Recommendation

Approve setup commands manually, keep the mcporter configuration scoped to trusted services, and monitor which MCP tools are used.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Industry queries and authentication metadata are sent to the configured GILData MCP service.

Why it was flagged

The skill routes queries through an external MCP provider endpoint. This is disclosed and matches the stated GILData-backed purpose.

Skill content

https://api.gildata.com/mcp-servers/aidata-assistant-srv-tool?token=你的 JY_API_KEY

Recommendation

Use the skill only if sending those queries to GILData is acceptable, and avoid including confidential internal information in prompts.