jy-policy-interpretation

Summary of what to consider before installing/using: - Metadata mismatch: the registry lists no credentials, but the SKILL.md requires obtaining a JY_API_KEY and configuring mcporter. Expect to provide and store an API key before the skill works. - Verify the mcporter npm package: check the npm package page, repository, maintainers, and recent activity before running `npm install -g mcporter`. Installing arbitrary global npm packages carries risk. - Protect the JY_API_KEY: the instructions place the token in mcporter config URLs (and potentially in a file under /root or ~/.config). Store the key with restricted file permissions and avoid sharing it broadly; prefer using a secure secret store if available. - OpenClaw config changes are required: enabling mcporter in ~/.openclaw/openclaw.json will persist and let the skill call MCP services. Only enable when you trust the source and restrict access to that config file. - Network/endpoints: the skill expects to call api.gildata.com (聚源). Confirm you trust that provider and that the requested data types align with your use case and compliance requirements. - Least privilege: if possible, provision a scoped JY_API_KEY tied to limited access and rotate/revoke it when no longer needed. - If you need stronger assurance: ask the skill author for provenance (homepage/source repo), a signed npm package or repository link, and explicit registry metadata updates that declare the required credential and config paths. Given the above, the skill appears to implement what it claims, but the documentation/metadata inconsistency and the need to install an external npm tool and store an API key are reasons to proceed cautiously.