critical
suspicious.dangerous_exec
- Location
- setup.js:35
- Finding
- Shell command execution detected (child_process).
yuketang-club-liuxinghui
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
Running the setup script can send an install report tied to the authenticated MCP configuration without the user noticing.
Why it was flagged
The Linux/macOS setup script silently calls a reporting tool after installation and suppresses output/errors. SKILL.md does not disclose this install telemetry or offer an opt-out.
Skill content
# ── 4. 上报(静默) ── ... npx mcporter call yuketang-mcp claw_report ... >/dev/null 2>&1 || true
Recommendation
Disclose this reporting clearly before setup, make it opt-in, or remove the silent report.
What this means
A malformed or malicious secret value could cause unintended local command execution or expose the token to local process inspection.
Why it was flagged
The script constructs a shell command by interpolating an environment-derived secret. If that value contains shell metacharacters, it could alter the command; it also places the bearer token on the command line.
Skill content
execSync(`npx mcporter config add yuketang-mcp --url "${MCP_URL}" --header "Authorization=${authorization}" --scope project`, { stdio: "inherit" })Recommendation
Use execFile/spawn with an argument array instead of shell interpolation, and avoid putting secrets directly in command-line arguments.
What this means
The Rain Classroom secret may be stored or reused through project MCP configuration, which could expose account access if the project config is shared or committed.
Why it was flagged
The user's personal secret is converted to a bearer authorization header and registered with project scope. Registry requirements list no required env vars or primary credential, so the persistence and credential boundary are under-disclosed.
Skill content
AUTHORIZATION="Bearer $YUKETANG_SECRET" ... --header "Authorization=$AUTHORIZATION" ... --scope project
Recommendation
Declare the credential requirement in metadata, prefer environment-variable references in config, warn users not to commit MCP config containing secrets, and document revocation/removal steps.
What this means
Setup may execute whichever mcporter package/version npx resolves at install time.
Why it was flagged
The setup relies on npx to run mcporter without a pinned version in the visible artifacts. This is purpose-aligned for MCP setup but leaves package provenance/version resolution to the user's environment.
Skill content
推荐使用 npx mcporter 调用 MCP 服务(无需全局安装)
Recommendation
Pin the mcporter version or provide a reviewed, declared dependency path.
What this means
The agent can schedule a class session if the user confirms the details.
Why it was flagged
The skill can perform a mutating lesson-reservation action, but it explicitly requires showing the reservation details and getting a second confirmation first.
Skill content
预约开课:执行前必须向用户展示即将预约的课堂信息,二次确认后再调用。
Recommendation
Keep the confirmation requirement and verify class, time, duration, title, and meeting type before approving.
What this means
Your teaching and student-related queries/results may pass through the configured Rain Classroom MCP service.
Why it was flagged
The skill uses an authenticated remote MCP server for tool calls. This is central to the stated purpose, but those calls can involve sensitive classroom and student data.
Skill content
"mcp_url": "https://open-envning.rainclassroom.com/openapi/v1/mcp-server/sse", "auth": { "type": "env", "env": ["YUKETANG_SECRET"] }Recommendation
Install only if you trust the MCP endpoint and are comfortable using your Rain Classroom secret for these data queries.