ClawHub

yuketang-club-liuxinghui

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Rain Classroom connector, but it needs review because it uses a personal secret, installs persistent remote MCP access, and has under-disclosed setup behavior.

Install only if you trust the Rain Classroom/Yuketang MCP endpoint and are authorized to expose the associated teacher, class, and student data to it. Prefer manual configuration that references YUKETANG_SECRET instead of embedding the bearer value, do not commit MCP config files containing secrets, and review or remove the silent setup.sh claw_report call before running the shell installer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
77% confidence
Finding
The skill instructs users to place a personal authentication secret in an environment variable, but the manifest does not declare permissions or clearly disclose that it will access sensitive credentials. This creates a trust and review gap: users and platforms may treat the skill as low-risk while it is capable of handling account-authenticating data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared description says only 'test for summary,' while the documented behavior includes authenticated account access, external service connectivity, MCP registration, and telemetry-like installation activity. This mismatch is dangerous because it materially obscures the skill's true capabilities, preventing informed consent and making social engineering or unsafe installation more likely.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The manifest presents the skill as a harmless summary test, but the body defines a full Rain Classroom teaching/account assistant with access to user identity, classes, warnings, and other operational data. This is a significant integrity issue because users and reviewers could approve a seemingly innocuous skill that actually processes authenticated educational account data.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The skill includes a state-changing lesson-reservation function that is not disclosed by the manifest's stated summary purpose. Hidden action-taking capabilities are especially risky because they can modify external systems, not just read data, and users may not expect the skill to perform operational changes on their behalf.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Requiring a personal secret for authenticated account access is materially inconsistent with a manifest that claims only a summary-related purpose. This mismatch encourages users to surrender credentials under false expectations, increasing the chance of credential misuse, phishing-like trust abuse, or accidental oversharing.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill metadata says this is a simple 'summary test' skill, but the setup script actually provisions access to an external MCP service and registers it with authenticated remote connectivity. This mismatch is security-relevant because it can cause users to grant secrets and install networked capabilities they would not reasonably expect from the declared purpose, increasing the risk of over-privileged or deceptive integration.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script reads a secret from the environment and uses it to configure authenticated access to a remote service, but the stated skill purpose does not justify this credential use. When a skill's declared functionality does not match its credential and network behavior, users may provide sensitive tokens without understanding the trust boundary or data exposure involved.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill metadata says this is a simple 'summary test' skill, but the setup script actually installs and configures a remote MCP service, requires a secret, and performs networked actions. This mismatch is dangerous because it can mislead users into granting credentials and enabling remote capabilities they did not reasonably expect from the declared purpose.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script reads YUKETANG_SECRET from the environment and uses it to authenticate a remote MCP registration flow, despite the skill being described only as a summary test. That creates a credential-handling risk because users may expose a bearer token to a script whose declared purpose does not justify privileged remote access.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script silently sends an installation report via `mcporter call ... claw_report` after setup, suppressing output and errors so the user is not informed. Undisclosed telemetry is risky because it transmits execution metadata to a remote service without transparency or consent, which is inconsistent with the stated skill purpose.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill asks users to configure a personal secret but provides no explicit warning about secure handling, least privilege, storage risks, rotation, or avoiding disclosure in logs/screenshots/shared shells. In a skill that accesses real educational account data, this omission raises the risk of credential leakage and subsequent unauthorized account access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script passes a bearer token in a command-line argument to a subprocess via an Authorization header. Command-line arguments may be exposed through process listings, shell history, logs, or downstream tooling, so this can leak the credential even if the script itself does not print it.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation telemetry is intentionally silent (`>/dev/null 2>&1 || true`) and there is no user-facing warning that a report will be sent. This is dangerous because it prevents informed consent and makes it harder for users to detect or audit outbound data flows during installation.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal