ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Interactive LeetCode practice

v1.0.3

Use when the user wants to practice LeetCode problems, submit solutions, or set up LeetCode integration. Covers MCP server installation, learning-guided practice flow, solution submission, and authentication.

0· 1.1k·1 current·1 all-time
by@sperekrestova
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (interactive LeetCode practice, MCP server, submission, auth) aligns with the declared requirements: it needs npx to run an npm MCP server and a local config path (~/.leetcode-mcp/credentials.json) to store session cookies. No unrelated binaries, services, or credentials are requested.
Instruction Scope
SKILL.md stays within scope: it instructs installing/adding the MCP server via npx, calling MCP prompts (get_started, leetcode_learning_mode, etc.), and saving LeetCode session cookies to ~/.leetcode-mcp/credentials.json after asking the user for consent. It does not instruct reading unrelated system files or exfiltrating data to unexpected endpoints.
Install Mechanism
The skill is instruction-only (no install spec) but tells the operator to run npx -y @sperekrestova/interactive-leetcode-mcp@3.1.1. Running npx will download and execute code from the public npm registry — this is expected for an MCP server but is inherently higher-risk than pure local instructions. The SKILL.md advises pinning a specific version and points to the package GitHub and npm pages, which is good practice.
Credentials
No environment variables are requested. The single required config path (~/.leetcode-mcp/credentials.json) and its declared contents (csrftoken, LEETCODE_SESSION, timestamp) are proportional to the purpose (storing LeetCode session cookies). The SKILL.md explicitly requires user consent before storing credentials and suggests 0600 permissions.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and has disable-model-invocation: true (prevents autonomous model-driven invocations), reducing autonomous risk. It does suggest adding an MCP server entry to the client's MCP configuration and storing local credentials, which are reasonable for this integration and scoped to the skill itself.
Assessment
This skill appears to do what it says: run an npm MCP server and manage LeetCode sessions locally. Before installing or enabling it: (1) Confirm you trust the npm package and the linked GitHub repo — npx will download and run code from the npm registry. (2) Pin the exact package version rather than using @latest and review the release/changelog. (3) Only proceed after explicit user consent to store session cookies in ~/.leetcode-mcp/credentials.json; the skill says it will set file perms to 0600, but you should verify that. (4) If you need higher assurance, manually inspect the package source on GitHub (or install it in an isolated environment) before running it in a production agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dt4yjn39w1ex5k27dkq6nnh80xzsw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx
Config~/.leetcode-mcp/credentials.json

Comments