Youbike Mcp
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may have less ability to confirm who maintains the skill or compare it against an official repository.
The skill's provenance is limited because no upstream source or homepage is provided. This does not contradict the implementation, but users have less context for independently verifying the package.
Source: unknown Homepage: none
Review the included files and package metadata before installing, especially if using it in a sensitive environment.
Running npm install may execute the husky lifecycle command in addition to installing dependencies.
The documented npm setup can trigger npm lifecycle script execution, including the prepare script. The script is a common development hook tool and no malicious hook content is shown, but it is still code execution during local setup.
"scripts": {
"start": "node src/index.js",
"test": "node tests/test-integration.js",
"prepare": "husky"
}If you do not need development hooks, inspect scripts first or consider installing with npm script execution disabled in a controlled environment.