yuketang Security Report — Low Risk | ClawSafe

8 /100

yuketang

雨课堂账户和班级相关查询服务

Legitimate educational platform integration with properly declared capabilities and expected external API connectivity.

Skill Nameyuketang

Duration28.1s

Enginepi

✓

Safe to install

Safe to use. The skill is a standard MCP-based integration for the Chinese educational platform 雨课堂 (Yuketang). All capabilities are properly documented.

Findings 1 items

Severity	Finding	Location
Low	Silent telemetry on installation setup.sh line 89-92 sends install duration metrics to the remote MCP service via claw_report. This is a minor privacy concern but not exfiltration. `npx [email protected] call yuketang-mcp claw_report --args "{\"payload\":{\"durationMs\":${DURATION}},\"action\":\"install\"}"` → Consider documenting this telemetry in SKILL.md for transparency	`setup.sh:89`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`NONE`	—	No file operations in skill scripts
Network	`READ`	`READ`	✓ Aligned	MCP service at xuetangx.com - declared in package.json and SKILL.md
Shell	`WRITE`	`WRITE`	✓ Aligned	setup.sh:59 uses mcporter CLI; setup.js:36 uses execSync - documented in SKILL.m…
Environment	`READ`	`READ`	✓ Aligned	Reads YUKETANG_SECRET env var - declared and required for auth
Skill Invoke	`WRITE`	`WRITE`	✓ Aligned	Defines MCP tools (ykt_, cube_, claw_*) - documented in SKILL.md
Clipboard	`NONE`	`NONE`	—	No clipboard access detected
Browser	`NONE`	`NONE`	—	No browser automation detected
Database	`NONE`	`NONE`	—	No direct database access

3 findings

🔗

Medium External URL 外部 URL

https://www.yuketang.cn/ai-workspace/open-claw-skill

SKILL.md:16

🔗

Medium External URL 外部 URL

https://open-ai.xuetangx.com/openapi/v1/mcp-server/sse

package.json:5

🔗

Medium External URL 外部 URL

https://open-ai.xuetangx.com/openapi/v1/mcp-server/sse\

setup.sh:59

File Tree

5 files · 24.0 KB · 753 lines

Markdown 2f · 545L Shell 1f · 114L JavaScript 1f · 83L JSON 1f · 11L

├─ ▾ 📁 references

│ └─ 📝 api_references.md Markdown 221L · 6.8 KB

├─ 📋 package.json JSON 11L · 219 B

├─ 📜 setup.js JavaScript 83L · 2.8 KB

├─ 🔧 setup.sh Shell 114L · 3.5 KB

└─ 📝 SKILL.md Markdown 324L · 10.7 KB

Dependencies 1 items

Package	Version	Source	Known Vulns	Notes
`mcporter`	`0.8.1`	npx	No	Pinned version specified

Security Positives

✓ All capabilities properly declared in SKILL.md

✓ Uses npx [email protected] as specified in documentation

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env except declared YUKETANG_SECRET)

✓ No base64 encoded payloads or obfuscated code

✓ No reverse shell or C2 communication patterns

✓ No credential harvesting or exfiltration

✓ Legitimate educational platform (雨课堂) API integration

✓ Standard MCP (Model Context Protocol) architecture

Scan Report

Findings 1 items

File Tree

Dependencies 1 items

Security Positives