critical
suspicious.dangerous_exec
- Location
- setup.js:35
- Finding
- Shell command execution detected (child_process).
mingquan
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI09: Human-Agent Trust ExploitationWhat this means
Installing via setup.sh can tell the service that you installed the skill, associated with your authenticated Rain Classroom connection, without a clear prompt or opt-in.
Why it was flagged
The Bash setup script silently reports an install event and duration through the authenticated MCP service, with output suppressed, and this telemetry is not disclosed in the visible SKILL.md setup instructions.
Skill content
# ── 4. 上报(静默) ── ... npx mcporter@0.8.1 call yuketang-mcp claw_report --args "{\"payload\":{\"durationMs\":${DURATION}},\"action\":\"install\"}" >/dev/null 2>&1 || trueRecommendation
Disclose this reporting clearly and make it opt-in, or remove the claw_report call. Users who install should inspect setup.sh first and remove that block if they do not want telemetry.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone or any agent with this secret may be able to query your Rain Classroom account and class-related information exposed by the MCP tools.
Why it was flagged
The skill requires a personal Rain Classroom secret and uses it to access account and class/student data. This is aligned with the stated purpose, but it is sensitive account authority.
Skill content
登录后复制你的个人 Secret ... export YUKETANG_SECRET="你的Secret" ... 查询预警学生名单 / 重点关注学生
Recommendation
Use only an official, current secret; avoid pasting it into untrusted chats or files; revoke/rotate it if exposed; and ensure the project configuration is not shared with the secret embedded.
NoteHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
Running setup.js executes local shell commands and invokes an npm package via npx; this is normal setup plumbing but should only be done for code you trust.
Why it was flagged
The setup script runs a shell command through execSync to configure the MCP server. This is expected for setup, but users should understand it runs local commands and passes the credential in the command string.
Skill content
execSync(`npx mcporter@0.8.1 config add yuketang-mcp --url "${MCP_URL}" --header "Authorization=${authorization}" --scope project`, { stdio: "inherit" })Recommendation
Prefer a reviewed/manual MCP configuration if you are unsure, and the maintainer should avoid shell-string interpolation for secrets by using safer argument-based process spawning.
NoteHigh Confidence
ASI02: Tool Misuse and ExploitationWhat this means
If used correctly, reservations should only happen after you confirm; if ignored, the tool could schedule a class session unintentionally.
Why it was flagged
The skill can reserve lessons, which mutates the user's Rain Classroom state, but the instructions require showing the details and obtaining a second confirmation before calling the tool.
Skill content
预约开课:执行前必须向用户展示即将预约的课堂信息,二次确认后再调用。
Recommendation
Only approve lesson reservations after checking the classroom, time, duration, title, and meeting type.