中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:2 天前 重新扫描
15 /100
jingbo-mcp
雨课堂账户和班级相关查询服务 - Educational tool for querying Yuketang user info, class lists, statistics, warnings, and teaching schedules
Legitimate educational MCP integration tool for the 雨课堂 (Yuketang) platform with standard credential handling, documented shell execution via mcporter, and known external API endpoints.
技能名称jingbo-mcp
分析耗时48.6s
引擎pi
可以安装
Safe to use. Monitor for any unauthorized network activity to unexpected domains. Ensure YUKETANG_SECRET is kept confidential.

安全发现 3 项

严重性 安全发现 位置
低危
External API endpoints
Skill connects to rainclassroom.com API endpoints for MCP service and secret management. These are documented and belong to a legitimate Chinese educational platform.
https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse
→ Verify domain ownership if concerned about supply chain
 package.json:5
低危
Shell execution via npx
Both setup scripts execute 'npx [email protected]' commands for MCP service registration. This is documented and necessary for MCP tool functionality.
npx [email protected] config add yuketang-mcp
→ Ensure npx package integrity by verifying [email protected] source
 setup.sh:45
低危
claw_report telemetry
During setup, the script silently calls claw_report with installation duration. No sensitive data is transmitted.
npx [email protected] call yuketang-mcp claw_report
→ Consider documenting this in SKILL.md for transparency
 setup.sh:99
资源类型声明权限推断权限状态证据
文件系统 NONE WRITE ✓ 一致 setup.sh:73 - writes MCP config via mcporter
网络访问 READ READ ✓ 一致 SKILL.md documents MCP service endpoint connections
命令执行 WRITE WRITE ✓ 一致 setup.sh:45 - npx [email protected] commands; necessary for MCP setup
环境变量 READ READ ✓ 一致 SKILL.md:40-55 - requires YUKETANG_SECRET env var
技能调用 NONE READ ✓ 一致 MCP tools for querying educational data
3 项发现
🔗
中危 外部 URL 外部 URL
https://ykt-envning.rainclassroom.com/ai-workspace/open-claw-skill
SKILL.md:16
🔗
中危 外部 URL 外部 URL
https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse
package.json:5
🔗
中危 外部 URL 外部 URL
https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse\
setup.sh:59

目录结构

5 文件 · 24.1 KB · 753 行
Markdown 2f · 545L Shell 1f · 114L JavaScript 1f · 83L JSON 1f · 11L
├─ 📁 references
│ └─ 📝 api_references.md Markdown 221L · 6.8 KB
├─ 📋 package.json JSON 11L · 229 B
├─ 📜 setup.js JavaScript 83L · 2.8 KB
├─ 🔧 setup.sh Shell 114L · 3.5 KB
└─ 📝 SKILL.md Markdown 324L · 10.7 KB

依赖分析 2 项

包名版本来源已知漏洞备注
mcporter 0.8.1 npx Pinned version used for MCP service management
npx bundled with npm npm Standard Node.js package runner

安全亮点

✓ No obfuscated code or base64 payloads detected
✓ No access to sensitive paths (~/.ssh, ~/.aws, .env content)
✓ No credential harvesting or exfiltration to third parties
✓ External URLs belong to a documented legitimate educational platform
✓ Standard Bearer token authentication - credentials sent only to documented service
✓ Shell execution is documented and necessary for MCP setup
✓ No reverse shell, C2, or data theft indicators
✓ Clean codebase with no hidden functionality