jy-wealth-investment-analysis

This skill largely does what it says (calls mcporter to fetch gildata/Hengsheng聚源 data and formats a report), but several red flags deserve attention before installing: - Missing Python dependency declarations: the repo includes Python scripts (convert_to_pdf*.py) that use weasyprint and markdown, yet the install spec only installs an npm package. If you plan to use PDF conversion, you need Python and the appropriate Python packages; otherwise these scripts could fail or be ignored. Ask the author to declare these dependencies or remove the unused scripts. - Hardcoded absolute file paths: the Python scripts read/write absolute paths under /home/yesf37332/Desktop/..., which may leak a developer username and will likely fail or read unexpected files on your host. Request that paths be relative or configurable and that scripts avoid referencing other users' home directories. - API key handling: the setup instructions show adding the API key as a URL query parameter (...?token=你的 JY_API_KEY). Embedding credentials in URLs is insecure (can be recorded in shell/history/webserver logs). Prefer storing the key in a protected config file or environment variable and avoid passing secrets on the command line. - Verify the 'mcporter' npm package: the install step uses npm install -g mcporter. Confirm the package is the official CLI you expect (publisher, homepage, checksum) before globally installing it. - OpenClaw config edits: the guide asks you to edit ~/.openclaw/openclaw.json to enable mcporter. Only make these changes if you trust the mcporter tool; enabling global tools can widen the agent's capability surface. - Minor inconsistencies in service names: some files reference different MCP service names (gildata_datamap-api vs jy-financedata-api). Ask the maintainer to clean up and document exactly which services are called. Recommended actions before installing/using: 1. Ask the author to (a) declare required runtimes (Python + packages) or remove the Python examples, (b) remove hardcoded absolute paths or make them configurable, and (c) declare the expected env vars and where credentials should be stored. 2. Confirm the npm 'mcporter' package provenance (npm registry page, maintainer) and consider installing it in a controlled environment (container) first. 3. Never paste API keys into shell commands that may be stored in history; instead configure mcporter using a config file with restricted permissions or environment variables, and prefer token storage mechanisms that avoid exposing secrets in URLs. 4. If you need PDF generation, run the conversion in an isolated environment after auditing the included scripts and installing Python dependencies. Because of these mismatches and operational risks, treat the skill as suspicious until the above issues are resolved.