Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
jy-stock-selection-and-analysis
v1.0.1基于恒生聚源MCP平台,提供条件选股、财务与估值分析、技术指标、行业对比及完整股票研究报告生成。
⭐ 1· 30·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (GilData MCP-based stock screening and report generation) matches the instructions (calls to mcporter and MCP services). However the registry metadata claims no required binaries or credentials while the SKILL.md includes an openclaw block that requires node/npm/mcporter and an external JY_API_KEY — a clear metadata/instruction mismatch.
Instruction Scope
Runtime instructions tell the agent/user to install mcporter, configure MCP services with URLs that include the JY_API_KEY token, run mcporter calls to fetch many data endpoints, edit OpenClaw configuration (~/.openclaw/openclaw.json) to enable mcporter, and restart the gateway. Those steps go beyond pure read-only querying: they modify agent config and persist credentials in config files/URLs, increasing the blast radius and potential exposure.
Install Mechanism
There is no registry install spec, but SKILL.md suggests installing the 'mcporter' npm package (npm install -g mcporter) and includes a YAML install block referencing mcporter. Installing an npm package from the public registry is a common pattern but introduces moderate risk if the package or its dependencies are untrusted; the mismatch between declared install (none) and documented install is a red flag.
Credentials
The skill requires a JY_API_KEY (MCP auth) which is appropriate for contacting GilData, but SKILL.md shows the API key embedded into service URLs (token=你的 JY_API_KEY) and suggests config paths like /root/config/mcporter.json. Embedding secrets in URL query strings and using root-level paths can expose keys via logs, process listings, or improperly secured files. The registry metadata did not declare any required env vars/credentials, so required secrets are not transparently declared.
Persistence & Privilege
Instructions explicitly tell the user to edit OpenClaw's global config to enable mcporter and set MCPORTER_CONFIG, then restart the OpenClaw gateway — this modifies agent-wide configuration and persists a third-party tool integration. The skill does not set always:true, but asking to change system-level agent config and add persisted credentials increases privilege and persistence beyond a typical instruction-only skill.
What to consider before installing
This skill's purpose (GilData MCP-driven stock analysis) is plausible, but the SKILL.md and the registry disagree: the documentation requires installing 'mcporter' and a JY_API_KEY and instructs you to edit OpenClaw's config and embed the key in service URLs. Before installing or using it: (1) ask the publisher to update the registry metadata to declare required binaries and the JY_API_KEY; (2) avoid embedding API keys in URL query strings — prefer storing them in a secure env var or protected config and ensure mcporter reads them safely; (3) do not place config files under /root or use root paths unless you understand the privilege implications; (4) review and vet the 'mcporter' npm package source and version; (5) back up your openclaw.json before applying changes and consider running the skill in an isolated environment or sandbox; (6) request clarification why the skill requires modifying global OpenClaw configuration (could it be scoped to just this skill?). These steps reduce the risk of accidental credential exposure or unwanted persistent changes to your agent.Like a lobster shell, security has layers — review code before you run it.
latestvk974qdg9pgvxtref7a85t78jz1845jnk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.