jy-portfolio-calculation

What to check before installing/using this skill: - Verify the npm package 'mcporter' provenance (who publishes it, package homepage, recent versions) before running npm install -g. Global npm installs run code at install time. - The skill expects you to obtain a JY_API_KEY (API secret) from 恒生聚源 and put it into the mcporter config or in a service URL. Prefer storing secrets in a local mcporter config file (with appropriate filesystem permissions) rather than embedding secrets into command-line URLs or committing them to configs visible to others. - SKILL.md suggests setting MCPORTER_CONFIG in openclaw.json, but the skill metadata does not declare this env var—treat MCPORTER_CONFIG and JY_API_KEY as sensitive credentials. Back up ~/.openclaw/openclaw.json (or the Windows equivalent) before editing and verify file permissions after changes. - The included Python scripts use fpdf (fpdf2) and expect system fonts under /usr/share/fonts; the install metadata does not install Python dependencies. If you plan to run the scripts, ensure a Python environment with required packages (pip install fpdf2) and that font paths exist or modify the script to use an available font. - Confirm mcporter configuration paths and ownership: examples reference /root/config/mcporter.json (privileged user) and user home paths—use the correct path for your environment and avoid storing credentials in world-readable locations. - If you cannot verify the mcporter npm package or prefer not to install global npm packages, consider invoking the backend APIs via another vetted client or asking the skill author for a more self-contained adapter with clearly declared dependencies. Overall: the skill appears to implement the described functionality, but missing dependency declarations and the lack of explicit required-env metadata for MCPORTER_CONFIG/JY_API_KEY are credible red flags — review the above items and confirm package provenance and secret-handling practices before installing or providing credentials.