ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jy-position-diagnosis

v1.0.1

专业证券投顾持仓诊断技能,基于恒生聚源 (gildata) MCP 金融数据库生成五维度持仓诊断报告。 覆盖持仓分析、风险舆情、持仓优化、产品推荐、用户画像五大核心模块,所有数据可溯源、带时间戳。 **Triggers when user mentions:** - "持仓诊断"、"持仓分析"、"持仓报告" -...

0· 54·0 current·0 all-time
by@jiayinian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime instructions: the skill queries Gildata (gildata) MCP services via the mcporter CLI to produce portfolio-diagnosis reports. Requested binaries (node, npm, mcporter) and the declared install of the mcporter npm package are consistent with that purpose. HOWEVER the SKILL.md clearly requires a JY_API_KEY (used in service URLs) but the registry metadata lists no required env vars/primary credential — this metadata omission is inconsistent and should be corrected.
Instruction Scope
SKILL.md confines runtime actions to installing/using mcporter and calling specific MCP endpoints (e.g., AShareLiveQuote, StockNewslist). It does not instruct the agent to read arbitrary system files, other credentials, or exfiltrate data to unexpected endpoints. It instructs the user/agent to request a JY_API_KEY from gildata and to configure mcporter with that token.
Install Mechanism
Install uses an npm package (mcporter) via global installation (npm install -g mcporter). Using npm is a common approach but has moderate risk: packages can execute code during install and global installs modify the host. The skill does not pull from arbitrary URLs or shorteners, but you should verify the mcporter package source, publisher, and integrity before running a global install.
!
Credentials
Operationally the skill requires a JY_API_KEY for gildata MCP access (the SKILL.md repeatedly references configuring services with '?token=你的 JY_API_KEY'), yet the registry metadata declares no required environment variables or primary credential. This mismatch is concerning: users may be prompted at runtime to provide or paste a secret into mcporter config, and the skill metadata gives no explicit indication that a credential is necessary. The skill does not request unrelated credentials, but the missing declaration reduces transparency and increases the risk of accidental token exposure.
Persistence & Privilege
always:false and no OS restrictions — normal. The only persistent effect is installing mcporter (global npm) and storing service URLs/tokens in mcporter's config via 'mcporter config add' (user-configured). That is expected for a CLI-based integration, but global installs and local CLI config storage merit user awareness because tokens will be stored on disk by mcporter.
What to consider before installing
What to consider before installing and using this skill: - Metadata vs runtime mismatch: The SKILL.md requires a JY_API_KEY (MCP service token) but the skill metadata did not declare any required credential — assume you will need to obtain and provide a gildata API key before use. Ask the publisher to add JY_API_KEY to the skill's declared requirements so it's explicit. - Verify mcporter before installing: The skill requires installing mcporter globally (npm install -g mcporter). Confirm the npm package owner, downloads, and repository (who publishes mcporter) and ensure it is the legitimate CLI you expect. Global npm installs can execute scripts and modify your system PATH. - Token handling: mcporter config add will embed the token in a stored URL/config file. Understand where mcporter stores configs and who can access them on your system. Do not reuse high-privilege or long-lived credentials; prefer a scoped key if gildata supports it. - Privacy of application data: To obtain JY_API_KEY the SKILL.md suggests emailing datamap@gildata.com with personal/company details. That is normal for enterprise API provisioning, but be mindful of what personal data you include and how the received key is used/stored. - Least privilege & testing: If possible, test with a low-privilege or sandbox key first. Consider installing mcporter in a contained environment (container or dedicated VM) if you are uncertain about installing global npm packages on a production machine. - Ask the publisher for provenance: There is no homepage or known source listed. If you plan to use this in production, request the skill's publisher identity, the mcporter package repository link, and a signed or reviewed manifest so you can validate trustworthiness. Given the above inconsistencies (missing declared credential and global npm install requirement), exercise caution. The skill appears to do what it claims, but the metadata underspecification and install mechanism justify extra verification before installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk970233yys0k1vjak9q1eahynn841nhq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm, mcporter

Install

Install mcporter via npmnpm i -g mcporter

Comments