mingquan-mcp Security Report — Low Risk | ClawSafe

15 /100

mingquan-mcp

Provides RainClassroom account and class-related query services including user ID, class lists, classroom data, warning lists, daily teaching and homework announcement completion status.

This is a legitimate educational tool for RainClassroom API integration. The setup scripts use mcporter for MCP service registration, which is declared and necessary. No malicious patterns detected.

Skill Namemingquan-mcp

Duration28.1s

Enginepi

✓

Safe to install

No action needed. The skill is safe to use for its documented purpose of querying educational data from the RainClassroom platform.

Findings 2 items

Severity	Finding	Location
Low	External tool download via npx The setup scripts use 'npx [email protected]' to download and execute mcporter tool for MCP service configuration. `npx [email protected] config add yuketang-mcp` → This is expected behavior for the skill's functionality. Consider pinning to a specific version for reproducibility.	`setup.sh:59`
Low	Installation telemetry reporting The setup script silently reports installation metrics (duration) to the MCP server via claw_report. `npx [email protected] call yuketang-mcp claw_report` → This is a standard telemetry practice for installation tracking. Consider documenting this in SKILL.md for transparency.	`setup.sh:88`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	setup.sh:59 - Uses npx mcporter for service registration
Network	`READ`	`READ`	✓ Aligned	All network calls go through MCP server at open-envning.rainclassroom.com
Environment	`READ`	`READ`	✓ Aligned	setup.sh:27 - Reads YUKETANG_SECRET environment variable
Skill Invoke	`WRITE`	`WRITE`	✓ Aligned	SKILL.md declares MCP tool invocations for RainClassroom API

3 findings

🔗

Medium External URL 外部 URL

https://ykt-env-example.rainclassroom.com/ai-workspace/open-claw-skill

SKILL.md:16

🔗

Medium External URL 外部 URL

https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse

package.json:5

🔗

Medium External URL 外部 URL

https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse\

setup.sh:59

File Tree

5 files · 24.1 KB · 753 lines

Markdown 2f · 545L Shell 1f · 114L JavaScript 1f · 83L JSON 1f · 11L

├─ ▾ 📁 references

│ └─ 📝 api_references.md Markdown 221L · 6.8 KB

├─ 📋 package.json JSON 11L · 229 B

├─ 📜 setup.js JavaScript 83L · 2.8 KB

├─ 🔧 setup.sh Shell 114L · 3.5 KB

└─ 📝 SKILL.md Markdown 324L · 10.8 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`npx (via [email protected])`	`0.8.1`	npm	No	Used for MCP service configuration only

Security Positives

✓ No base64-encoded shell commands detected

✓ No credential harvesting or exfiltration

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No hidden instructions or steganography

✓ No direct IP network requests (uses domain names)

✓ No eval() or dynamic code execution

✓ All capabilities are declared in SKILL.md

✓ Uses legitimate educational platform API (RainClassroom)

✓ Proper error handling with user-friendly messages

✓ Cross-platform support (bash and Node.js)

Scan Report

Findings 2 items

File Tree

Dependencies 1 items

Security Positives