openamc-mcp

This skill appears to be an instruction-only connector that calls a local MCP server via the `mcp` CLI to fetch financial data — that is consistent with its description. However there are several mismatches in the package that you should resolve before installing: - Confirm the source and provenance: the package has no homepage and the ownerId/version in _meta.json do not match the registry metadata. Ask the publisher to provide a canonical source (homepage, repository, signed release) and explain the owner/version discrepancy. - Verify the `mcp` binary and MCP server: SKILL.md requires a locally installed `mcp` command and a server at http://127.0.0.1:8001. Ensure you trust the `mcp` binary (where it came from) and that the MCP server implementation is safe. The skill will call whatever functions that server exposes. - Confirm permissions: _meta.json claims network and messaging permissions. Check whether the MCP server or `mcp` client will make outbound network calls beyond localhost or require credentials. If you do not want external network access, run the MCP server in an isolated environment and audit `mcp`'s behavior first. - Test in a sandbox: before granting this to a production agent, run sample `mcp call openamc ...` commands manually on an isolated machine to observe what data is fetched and where traffic goes. - Ask for missing details: request the publisher provide the `mcp` binary source, MCP server code or API spec, and a clear statement of required permissions. If these are not available or the publisher cannot explain the manifest mismatches, treat the skill as untrusted. What would change this assessment: if the publisher supplies a verifiable repository or homepage, a signed release for the `mcp` binary, and an explicit manifest that consistently declares the required binary and permissions, this would move the assessment toward benign.