jy-news-interpretation
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent financial-news skill that uses a disclosed third-party MCP data provider and API key, with some normal setup and scheduling risks users should review.
Before installing, confirm you trust the mcporter package and the Gildata/Juyuan MCP provider, use a dedicated API key where possible, protect the mcporter configuration file, and enable the scheduled-report example only if you want recurring automatic reports.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Queries may use your Juyuan account/API quota, and anyone with access to the mcporter config could potentially see or reuse the key.
The skill needs a provider API key and stores it in mcporter service configuration, which is expected for this data integration but grants account-backed access to the Juyuan service.
需要获取 JY_API_KEY 并配置:... mcporter config add jy-financedata-tool --url "https://api.gildata.com/...?...token=你的 JY_API_KEY"
Use a dedicated, revocable API key if possible, protect the mcporter config file, and avoid pasting real keys into chats or logs.
Invoking the skill can result in local mcporter commands and external service calls, which may consume API quota or reveal query text to the provider.
The skill instructs the agent to run local CLI checks and make test/provider calls before use. These commands are relevant to the skill but still exercise local tooling and external API access.
每次使用本技能时,应先执行以下检查:... mcporter list ... mcporter call jy-financedata-api.CompanyBasicInfo query="测试 600519.SH" --output json
Review the setup commands before first use and avoid including confidential trading or company information in provider queries unless appropriate.
You are trusting the npm package installed as mcporter and any future version resolved by npm.
The skill depends on a globally installed npm package, and the documented install command does not pin a version. This is common for CLI-based integrations but creates normal package-provenance considerations.
npm install -g mcporter
Install mcporter from the expected publisher, consider pinning or reviewing the package version, and keep it updated through normal trusted channels.
Financial-news queries and related context may be sent to the Juyuan/Gildata MCP service.
The skill routes user queries through an MCP gateway to a disclosed external provider endpoint. This is expected for the skill, but it defines an external data boundary.
mcporter config add jy-financedata-api --url "https://api.gildata.com/mcp-servers/aidata-assistant-srv-api?token=你的 JY_API_KEY"
Do not send confidential or regulated information through the skill unless your organization permits that provider use.
If enabled, the skill may keep running on a schedule and make recurring provider calls.
The examples show an optional scheduled daily financial report. It is disclosed and aligned with the skill purpose, but scheduled execution is persistent behavior.
"schedule": { "kind": "cron", "expr": "40 8 * * 1-5", "tz": "Asia/Shanghai" }, ... "enabled": trueEnable scheduled reports only if you want recurring execution, and review or disable the cron entry when it is no longer needed.