ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Byted Bytehouse Mcp

v1.0.0

在本地拉起ByteHouse MCP Server并调用其tools的技能,用于连接ByteHouse数据库查询数据、使用MCP协议与ByteHouse交互、生成数据资产目录和血缘分析。当用户需要连接ByteHouse数据库查询数据、使用MCP协议与ByteHouse交互、生成数据资产目录和血缘分析时,使用此Sk...

0· 71·0 current·0 all-time
by@volcengine-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's files (mcp_client.py, start/stop scripts, analyzer) align with the stated purpose of running an MCP server and querying ByteHouse. However there are minor inconsistencies: SKILL.md / README mention 'uv' installed at /root/.local/bin/uv while scripts and Python code invoke '/root/.local/bin/uvx' (uvx). The registry metadata did not declare required binaries even though the runtime assumes specific binaries at absolute paths.
!
Instruction Scope
Runtime instructions start a background MCP server that is installed/started by invoking a git+ URL (via uvx) and then call arbitrary MCP tools. The Python code passes os.environ.copy() into the launched MCP Server process, which will forward all environment variables (not only ByteHouse credentials) to that external code. That behavior can leak unrelated secrets in the agent environment to the external server process. The instructions also assume the ability to run background processes and write PID/log files in the skill folder.
!
Install Mechanism
There is no formal install spec, but the runtime relies on executing a command that fetches and installs code from a GitHub repo (git+https://github.com/volcengine/mcp-server@main#subdirectory=...). Fetching and executing remote code at runtime is expected for this use-case but increases risk. The reliance on an absolute binary path (/root/.local/bin/uvx) is brittle and mismatches other documentation references to 'uv'.
!
Credentials
The skill legitimately needs ByteHouse connection info (host/user/password), and the SKILL.md asks the user to set ByteHouse-related env vars. But the code sets the child process env to a copy of the entire os.environ, which will expose any other environment secrets (cloud credentials, tokens, API keys) to the MCP Server process. The skill metadata did not declare these potential exposures.
Persistence & Privilege
The skill starts a persistent background service (writes PID and logs) and provides start/stop/status scripts; this is consistent with running a local server. always:false and normal autonomy settings are used. Starting a background process is expected, but you should be aware it will run arbitrary remote-installed code until stopped.
Scan Findings in Context
[GIT_REMOTE_URL] expected: The code repeatedly uses a git+https://github.com/volcengine/mcp-server@main#subdirectory=... URL to fetch the MCP Server implementation. This is coherent with installing the official MCP server but it means remote code will be fetched and executed at runtime—review the remote repo before use.
[ENV_PROPAGATION_TO_CHILD_PROCESS] unexpected: mcp_client.py and other scripts pass os.environ.copy() into the server's env (stdio_client server_params.env = env), which will expose all environment variables to the spawned MCP Server. This is not necessary if only ByteHouse credentials are required and increases risk of secret leakage.
What to consider before installing
This skill appears to implement what it says (running a local ByteHouse MCP Server and calling its tools) but you should be cautious before running it in a production or privileged environment. Recommended actions before installing or executing: - Inspect and verify the remote repository referenced (https://github.com/volcengine/mcp-server) so you know what code will be fetched and executed. - Confirm which binary will be used on your system: the docs reference both 'uv' and '/root/.local/bin/uvx'. Adjust scripts to point to a trusted runtime binary, or install uv/uvx from a trusted source. - Avoid running as root. Run inside an isolated environment (container, VM) or restricted user to limit blast radius. - Limit environment exposure: do not run these scripts in an environment containing unrelated secrets. Consider clearing or whitelisting environment variables before launching the MCP Server so only ByteHouse credentials are forwarded. - If you need to keep persistent service, verify the start/stop scripts and log/PID locations; consider running under a process supervisor you control. - If you are not comfortable auditing the remote code or controlling environment leakage, consider asking for an official packaged release or a version pinned to a known-good commit instead of fetching 'main'.

Like a lobster shell, security has layers — review code before you run it.

latestvk977mx93471havshmk43d3e9s583nqh4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments