Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Byted Bytehouse Load Analyzer
v1.0.0ByteHouse集群负载分析和性能监控工具,用于分析集群负载情况、监控资源使用情况、分析查询吞吐量、识别性能瓶颈。当用户需要分析ByteHouse集群负载情况、监控资源使用情况、分析查询吞吐量、识别性能瓶颈时,使用此Skill。
⭐ 0· 65·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's description and SKILL.md state it analyzes ByteHouse clusters and depends on a 'bytehouse-mcp' skill — that is coherent. However, the registry metadata declares no required environment variables or primary credential even though SKILL.md and the script require BYTEHOUSE_HOST/PORT/USER/PASSWORD. The missing declaration is an incoherence: the skill will need credentials but the manifest does not declare them.
Instruction Scope
SKILL.md instructs the user to set ByteHouse credentials and to reuse the bytehouse-mcp skill, which is expected. The shipped script, however, copies the entire process environment (os.environ.copy()) and passes it into the MCP subprocess, which means any unrelated secrets in the agent environment could be exposed to the subprocess. The SKILL.md does not disclose that it will forward the full environment. The script also launches an external MCP server component (via stdio_client and a command invocation) which may execute arbitrary code provided by that component — again not fully documented in the manifest.
Install Mechanism
There is no formal install spec (instruction-only), so nothing is automatically written at install. But the script starts an external command at an absolute path ('/root/.local/bin/uvx') with an argument that looks like a VCS package spec pointing to GitHub (git+https://github.com/volcengine/mcp-server@main#subdirectory=...), which will cause network fetch/installation at runtime. SKILL.md earlier mentions 'uv' at /root/.local/bin/uv, while the code uses '/root/.local/bin/uvx' — that mismatch is suspicious and undocumented. Running a subprocess that can pull code from GitHub is higher-risk than pure local analysis and should be reviewed.
Credentials
The skill requires ByteHouse credentials in practice (BYTEHOUSE_HOST, PORT, USER, PASSWORD) but the registry metadata lists no required env vars and no primary credential. Additionally, the script passes the entire environment into the subprocess, which can expose unrelated secrets (cloud keys, tokens, etc.) to the spawned process. Requiring the ByteHouse password is proportionate to the stated task, but the lack of manifest declaration and the full-env forwarding are problematic.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. It writes output files into its own output/ directory (expected). The notable privilege is runtime: it spawns an external subprocess (absolute path) and lets that subprocess handle MCP server logic — this gives that subprocess the ability to execute arbitrary code and access the forwarded environment. That runtime capability increases blast radius if the subprocess or fetched code is untrusted.
What to consider before installing
Before installing or running this skill, consider the following:
- Missing manifest declarations: The skill actually needs BYTEHOUSE_HOST, BYTEHOUSE_PORT, BYTEHOUSE_USER, and BYTEHOUSE_PASSWORD but the registry metadata does not declare them; ask the author to add these to requires.env/primaryEnv.
- Environment leakage: The script copies and forwards the entire process environment to a spawned subprocess. If your agent environment contains other secrets (cloud keys, tokens, etc.), those may be exposed. Only run this in an environment without sensitive credentials or request the author whitelist only the needed BYTEHOUSE_* variables.
- Subprocess and remote code fetch: The script invokes an absolute command (/root/.local/bin/uvx) and passes a git+https VCS spec pointing at GitHub. That will likely fetch and run code at runtime. Verify the referenced GitHub repository and the exact code that will be executed. The SKILL.md mentions 'uv' but the code calls 'uvx' — get clarification and ensure paths/commands are correct and trusted.
- Principle of least privilege: If you must use this, run it in an isolated environment (ephemeral container or sandbox) that does not hold other secrets or host-critical access.
- Ask the maintainer to: (1) update registry metadata to list required env variables and primary credential; (2) document exactly what subprocess is started and what network fetches occur; (3) avoid passing the full environment to subprocesses or explicitly whitelist environment variables; (4) fix the uv/uvx path mismatch.
If you cannot obtain satisfactory answers and confirmation of the upstream code, treat this skill as risky and avoid running it on hosts that contain other credentials or sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk97egdrk7gwmrtcgnpr33hhbb583mdnr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.