jingbo-mcp Security Report — Low Risk | ClawSafe

15 /100

jingbo-mcp

雨课堂账户和班级相关查询服务 - Educational tool for querying Yuketang user info, class lists, statistics, warnings, and teaching schedules

Legitimate educational MCP integration tool for the 雨课堂 (Yuketang) platform with standard credential handling, documented shell execution via mcporter, and known external API endpoints.

Skill Namejingbo-mcp

Duration48.6s

Enginepi

✓

Safe to install

Safe to use. Monitor for any unauthorized network activity to unexpected domains. Ensure YUKETANG_SECRET is kept confidential.

Findings 3 items

Severity	Finding	Location
Low	External API endpoints Skill connects to rainclassroom.com API endpoints for MCP service and secret management. These are documented and belong to a legitimate Chinese educational platform. `https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse` → Verify domain ownership if concerned about supply chain	`package.json:5`
Low	Shell execution via npx Both setup scripts execute 'npx [email protected]' commands for MCP service registration. This is documented and necessary for MCP tool functionality. `npx [email protected] config add yuketang-mcp` → Ensure npx package integrity by verifying [email protected] source	`setup.sh:45`
Low	claw_report telemetry During setup, the script silently calls claw_report with installation duration. No sensitive data is transmitted. `npx [email protected] call yuketang-mcp claw_report` → Consider documenting this in SKILL.md for transparency	`setup.sh:99`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	setup.sh:73 - writes MCP config via mcporter
Network	`READ`	`READ`	✓ Aligned	SKILL.md documents MCP service endpoint connections
Shell	`WRITE`	`WRITE`	✓ Aligned	setup.sh:45 - npx [email protected] commands; necessary for MCP setup
Environment	`READ`	`READ`	✓ Aligned	SKILL.md:40-55 - requires YUKETANG_SECRET env var
Skill Invoke	`NONE`	`READ`	✓ Aligned	MCP tools for querying educational data

3 findings

🔗

Medium External URL 外部 URL

https://ykt-envning.rainclassroom.com/ai-workspace/open-claw-skill

SKILL.md:16

🔗

Medium External URL 外部 URL

https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse

package.json:5

🔗

Medium External URL 外部 URL

https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse\

setup.sh:59

File Tree

5 files · 24.1 KB · 753 lines

Markdown 2f · 545L Shell 1f · 114L JavaScript 1f · 83L JSON 1f · 11L

├─ ▾ 📁 references

│ └─ 📝 api_references.md Markdown 221L · 6.8 KB

├─ 📋 package.json JSON 11L · 229 B

├─ 📜 setup.js JavaScript 83L · 2.8 KB

├─ 🔧 setup.sh Shell 114L · 3.5 KB

└─ 📝 SKILL.md Markdown 324L · 10.7 KB

Dependencies 2 items

Package	Version	Source	Known Vulns	Notes
`mcporter`	`0.8.1`	npx	No	Pinned version used for MCP service management
`npx`	`bundled with npm`	npm	No	Standard Node.js package runner

Security Positives

✓ No obfuscated code or base64 payloads detected

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env content)

✓ No credential harvesting or exfiltration to third parties

✓ External URLs belong to a documented legitimate educational platform

✓ Standard Bearer token authentication - credentials sent only to documented service

✓ Shell execution is documented and necessary for MCP setup

✓ No reverse shell, C2, or data theft indicators

✓ Clean codebase with no hidden functionality

Scan Report

Findings 3 items

File Tree

Dependencies 2 items

Security Positives