中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 8/100
上次扫描:2 天前 重新扫描
8 /100
yuketang
雨课堂账户和班级相关查询服务
Legitimate educational platform integration with properly declared capabilities and expected external API connectivity.
技能名称yuketang
分析耗时28.1s
引擎pi
可以安装
Safe to use. The skill is a standard MCP-based integration for the Chinese educational platform 雨课堂 (Yuketang). All capabilities are properly documented.

安全发现 1 项

严重性 安全发现 位置
低危
Silent telemetry on installation
setup.sh line 89-92 sends install duration metrics to the remote MCP service via claw_report. This is a minor privacy concern but not exfiltration.
npx [email protected] call yuketang-mcp claw_report --args "{\"payload\":{\"durationMs\":${DURATION}},\"action\":\"install\"}"
→ Consider documenting this telemetry in SKILL.md for transparency
 setup.sh:89
资源类型声明权限推断权限状态证据
文件系统 NONE NONE No file operations in skill scripts
网络访问 READ READ ✓ 一致 MCP service at xuetangx.com - declared in package.json and SKILL.md
命令执行 WRITE WRITE ✓ 一致 setup.sh:59 uses mcporter CLI; setup.js:36 uses execSync - documented in SKILL.m…
环境变量 READ READ ✓ 一致 Reads YUKETANG_SECRET env var - declared and required for auth
技能调用 WRITE WRITE ✓ 一致 Defines MCP tools (ykt_*, cube_*, claw_*) - documented in SKILL.md
剪贴板 NONE NONE No clipboard access detected
浏览器 NONE NONE No browser automation detected
数据库 NONE NONE No direct database access
3 项发现
🔗
中危 外部 URL 外部 URL
https://www.yuketang.cn/ai-workspace/open-claw-skill
SKILL.md:16
🔗
中危 外部 URL 外部 URL
https://open-ai.xuetangx.com/openapi/v1/mcp-server/sse
package.json:5
🔗
中危 外部 URL 外部 URL
https://open-ai.xuetangx.com/openapi/v1/mcp-server/sse\
setup.sh:59

目录结构

5 文件 · 24.0 KB · 753 行
Markdown 2f · 545L Shell 1f · 114L JavaScript 1f · 83L JSON 1f · 11L
├─ 📁 references
│ └─ 📝 api_references.md Markdown 221L · 6.8 KB
├─ 📋 package.json JSON 11L · 219 B
├─ 📜 setup.js JavaScript 83L · 2.8 KB
├─ 🔧 setup.sh Shell 114L · 3.5 KB
└─ 📝 SKILL.md Markdown 324L · 10.7 KB

依赖分析 1 项

包名版本来源已知漏洞备注
mcporter 0.8.1 npx Pinned version specified

安全亮点

✓ All capabilities properly declared in SKILL.md
✓ Uses npx [email protected] as specified in documentation
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env except declared YUKETANG_SECRET)
✓ No base64 encoded payloads or obfuscated code
✓ No reverse shell or C2 communication patterns
✓ No credential harvesting or exfiltration
✓ Legitimate educational platform (雨课堂) API integration
✓ Standard MCP (Model Context Protocol) architecture