ClawHub

jy-transaction-analysis

v1.0.0

A 股交易流水分析 skill。接收用户交易流水文本,生成专业的《交易片段行为速览》HTML 报告,包含交易解析、闭环识别、关键交易剖析、行为画像等。触发场景:用户粘贴交易流水、要求分析交易记录、查看交易行为、评估交易表现等。A-share transaction analysis skill. Receives...

0· 37·0 current·0 all-time
by@jiayinian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The stated purpose (parse transaction text, identify closed loops, produce an HTML report and enrich with market data) matches the instructions: parsing rules, analysis rules, and calls to a market-data MCP service (via mcporter) are all present and expected.
Instruction Scope
Runtime instructions focus on parsing user-supplied transaction text and calling mcporter to fetch market data. They do not instruct reading unrelated system files. They do, however, require configuring mcporter and a JY_API_KEY (obtained from a third party) which is necessary to perform the data-enrichment steps.
Install Mechanism
The install spec is npm global install of the single package mcporter (mcporter used as a CLI). This is proportionate to the need to call MCP services but carries usual npm/global-install considerations (package authenticity, need for elevated privileges, supply-chain risk). No arbitrary download URLs or extracted archives are used.
!
Credentials
SKILL.md requires a JY_API_KEY and instructs adding it to mcporter's configuration (mcporter config add ...?token=JY_API_KEY), but the registry metadata declares no required environment variables or config paths. The key is necessary and proportionate to the skill's purpose, but the manifest should explicitly declare it (or declare a required config-path) so users understand credential requirements up-front.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is instruction-only (no embedded code). It asks the user to configure a local mcporter config which stores the API token locally; that is normal for this use-case and not itself a privilege escalation.
Assessment
This skill appears to do what it claims: parse pasted A‑share trade text and call a market‑data service (via the mcporter CLI) to enrich analysis and generate a self-contained HTML report. Before installing/using it: (1) be aware you will need to obtain a JY_API_KEY from the listed data provider and configure mcporter locally — the skill's registry metadata does not list this key, which is an omission; (2) mcporter is installed via npm globally — verify the mcporter package (npm page / GitHub) and consider installing in a controlled environment or container if you are cautious; (3) the mcporter config command stores the token locally (in a config file) — keep that key secret and understand where it is saved (mcporter config path); (4) the skill will make outbound calls to api.gildata.com endpoints to fetch market data — if you cannot or do not want external network calls, do not configure the key or use the skill; (5) if you need higher assurance, request the author to add JY_API_KEY and the mcporter config path to the skill manifest (requires.env / requires.config paths), and to publish links to the mcporter source for vetting. If any of these points are unacceptable, do not install or run the skill until they are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e82t9a61b0jz7bnzeqweq2x84436b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm, mcporter

Install

Install mcporter via npmnpm i -g mcporter

Comments