jy-portfolio-calculation
PassAudited by ClawScan on May 10, 2026.
Overview
No malicious behavior is evident; this is a disclosed financial-simulation MCP integration, but it uses a provider API key and can create or rebalance simulated portfolios, so setup and actions should be reviewed.
This skill appears safe for its stated purpose if you intend to use the GILData simulated portfolio service. Before installing, verify the mcporter package and endpoint, keep the JY_API_KEY private, and ask the agent to confirm any automatic date or cash-allocation adjustments before creating or rebalancing a simulated portfolio.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A simulated portfolio could be created or rebalanced with slightly different assumptions than the user originally stated.
The skill documents automatic changes to requested rebalance inputs before calling the provider. This is disclosed and purpose-aligned, but users should review the adjusted date and weights before relying on the result.
当用户请求使用当天或未来日期调仓时:1. 自动调整:使用上一个交易日... 如果用户输入的权重总和 不足 1,自动用现金补充差额
Ask the agent to show the exact date, weights, and cash allocation before executing build or rebalance calls.
The provider API key grants access to the configured GILData MCP service and should be treated as a secret.
The skill requires a provider API key when the MCP service is not already configured. This credential use is disclosed and matches the stated financial-data integration.
需要获取 JY_API_KEY 并配置... mcporter config add jy-financedata-api --url "https://api.gildata.com/mcp-servers/aidata-assistant-srv-api?token=你的 JY_API_KEY"
Use a dedicated or least-privilege JY_API_KEY if available, avoid sharing command logs containing the token, and remove the key from local config when no longer needed.
Installing or updating the dependency could change behavior if the upstream package changes.
The skill depends on installing the mcporter npm package without a pinned version in the provided install spec. This is expected for the MCP workflow, but it is still a supply-chain dependency.
[0] node | package: mcporter
Install mcporter from a trusted source, consider pinning a known-good version where possible, and review package updates.
Portfolio instructions and IDs are sent to the configured external financial-data provider.
The skill routes natural-language portfolio instructions, portfolio IDs, and query details through an external MCP service. This is disclosed and central to the skill.
mcporter call jy-financedata-api.PortfolioBuild query='2026-03-20 建仓...'
Do not include unnecessary personal or confidential information in portfolio queries, and confirm the configured MCP endpoint is the intended provider.