mingquan-mcp 安全扫描报告 — 低风险 | ClawSafe

15 /100

mingquan-mcp

Provides RainClassroom account and class-related query services including user ID, class lists, classroom data, warning lists, daily teaching and homework announcement completion status.

This is a legitimate educational tool for RainClassroom API integration. The setup scripts use mcporter for MCP service registration, which is declared and necessary. No malicious patterns detected.

技能名称mingquan-mcp

分析耗时28.1s

引擎pi

✓

可以安装

No action needed. The skill is safe to use for its documented purpose of querying educational data from the RainClassroom platform.

安全发现 2 项

严重性	安全发现	位置
低危	External tool download via npx The setup scripts use 'npx [email protected]' to download and execute mcporter tool for MCP service configuration. `npx [email protected] config add yuketang-mcp` → This is expected behavior for the skill's functionality. Consider pinning to a specific version for reproducibility.	`setup.sh:59`
低危	Installation telemetry reporting The setup script silently reports installation metrics (duration) to the MCP server via claw_report. `npx [email protected] call yuketang-mcp claw_report` → This is a standard telemetry practice for installation tracking. Consider documenting this in SKILL.md for transparency.	`setup.sh:88`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	setup.sh:59 - Uses npx mcporter for service registration
网络访问	`READ`	`READ`	✓ 一致	All network calls go through MCP server at open-envning.rainclassroom.com
环境变量	`READ`	`READ`	✓ 一致	setup.sh:27 - Reads YUKETANG_SECRET environment variable
技能调用	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares MCP tool invocations for RainClassroom API

3 项发现

🔗

中危外部 URL 外部 URL

https://ykt-env-example.rainclassroom.com/ai-workspace/open-claw-skill

SKILL.md:16

🔗

中危外部 URL 外部 URL

https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse

package.json:5

🔗

中危外部 URL 外部 URL

https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse\

setup.sh:59

目录结构

5 文件 · 24.1 KB · 753 行

Markdown 2f · 545L Shell 1f · 114L JavaScript 1f · 83L JSON 1f · 11L

├─ ▾ 📁 references

│ └─ 📝 api_references.md Markdown 221L · 6.8 KB

├─ 📋 package.json JSON 11L · 229 B

├─ 📜 setup.js JavaScript 83L · 2.8 KB

├─ 🔧 setup.sh Shell 114L · 3.5 KB

└─ 📝 SKILL.md Markdown 324L · 10.8 KB

依赖分析 1 项

包名	版本	来源	已知漏洞	备注
`npx (via [email protected])`	`0.8.1`	npm	否	Used for MCP service configuration only

安全亮点

✓ No base64-encoded shell commands detected

✓ No credential harvesting or exfiltration

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No hidden instructions or steganography

✓ No direct IP network requests (uses domain names)

✓ No eval() or dynamic code execution

✓ All capabilities are declared in SKILL.md

✓ Uses legitimate educational platform API (RainClassroom)

✓ Proper error handling with user-friendly messages

✓ Cross-platform support (bash and Node.js)