ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Bytehouse Diagnostics

v1.0.0

ByteHouse集群诊断和健康检查工具,用于检查ByteHouse集群健康状态、诊断集群问题和异常、查看集群节点状态、分析集群性能指标。当用户需要检查ByteHouse集群健康状态、诊断集群问题和异常、查看集群节点状态、分析集群性能指标时,使用此Skill。

0· 67·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to depend on a 'bytehouse-mcp' skill and to reuse its configuration, which is reasonable. However the package/metadata declares no required env vars or primary credential while both SKILL.md and the script clearly require BYTEHOUSE_HOST/PORT/USER/PASSWORD. The script also directly invokes an MCP server implementation via a git+ URL rather than exclusively reusing an existing local MCP skill, which is inconsistent with the 'reuse bytehouse-mcp skill' claim.
!
Instruction Scope
The runtime instructions and script perform only diagnostic queries (list_databases, run_select_query), which is consistent with the purpose. But the Python script copies os.environ and passes it intact to a spawned stdio MCP server subprocess — that gives the subprocess access to all environment variables (potentially leaking unrelated secrets). The SKILL.md tells users to set BYTEHOUSE_* variables but the manifest does not declare them; the README and SKILL.md refer to a uv binary at /root/.local/bin/uv, while the script hardcodes '/root/.local/bin/uvx' — an inconsistency that could cause unexpected behavior.
!
Install Mechanism
There is no install spec, but the script configures StdioServerParameters to run a command that pulls 'git+https://github.com/volcengine/mcp-server@main#subdirectory=server/mcp_server_bytehouse' (a remote git+ URL) through a hardcoded local binary '/root/.local/bin/uvx'. That effectively results in runtime download-and-execute of external code and depends on a specific local executable path. Runtime fetching of code from external sources increases supply-chain risk and is disproportionate for a simple diagnostic wrapper unless explicitly justified.
!
Credentials
The skill requests no env vars in metadata, but both documentation and the script require BYTEHOUSE_HOST/PORT/USER/PASSWORD and related flags. Worse, the script passes the entire process environment to the spawned MCP subprocess (env=os.environ.copy()), which could expose unrelated secrets (AWS keys, other service tokens) to the fetched server process. The number and sensitivity of env variables used are not declared in the registry metadata.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global configuration. Autonomous invocation is allowed (platform default) but is not by itself a new risk here. The main privilege concern is transient: executing a hardcoded local binary that downloads/executes remote code — this increases runtime privilege of whatever is run but is not expressed as persistent always-on presence.
What to consider before installing
This skill appears to implement ByteHouse diagnostics, but it has several red flags you should consider before installing or running it: 1) It expects BYTEHOUSE_HOST/PORT/USER/PASSWORD but the registry metadata does not declare those required environment variables — verify and supply only the minimum needed. 2) The script copies your entire environment and passes it to a spawned subprocess that pulls code from GitHub via a hardcoded '/root/.local/bin/uvx' command — that can leak unrelated secrets and executes externally fetched code. Only run this in an isolated environment (non-root, no unrelated secrets in env) and after verifying the uvx binary path and contents. 3) Prefer to confirm the exact MCP server code the skill will fetch (review the referenced GitHub subdirectory) before allowing network pulls, or configure/use a known, locally installed bytehouse-mcp skill implementation instead. 4) If you must run it, audit the output and the downloaded code, and restrict environment variables (unset sensitive vars) so only ByteHouse credentials are present. If you cannot validate the fetched code or the local 'uvx' binary, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk974m6hegw680r6dy5q11vjv3h83m65p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments