Back to skill

Security audit

mingquan

Security checks across malware telemetry and agentic risk

Overview

This Rain Classroom skill mostly matches its education-service purpose, but it under-discloses sensitive setup behavior, including stored account-secret use and a silent install report.

Install only if you trust this publisher with Rain Classroom/Yuketang account access. Treat YUKETANG_SECRET like a password, avoid pasting it into chat, review or remove the silent claw_report step if telemetry is not acceptable, and require an explicit final confirmation before any lesson reservation is made.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill relies on environment-variable access to handle YUKETANG_SECRET, but the manifest does not clearly declare or scope that capability. Hidden or undeclared access to credentials reduces transparency and prevents users from making an informed trust decision, especially because the skill also instructs installation and verification workflows tied to authentication.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The top-level description frames the skill as a read-only classroom-query helper, but the documented behavior extends to local MCP configuration changes, credential consumption, service registration, validation, and telemetry/reporting. This mismatch is dangerous because users may authorize what appears to be a low-risk informational skill while it actually performs installation, persistence, and reporting actions on the local environment.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is described as providing query services, but it also exposes cube_lesson_reservation, which performs a state-changing action by scheduling a class. Labeling an action-capable skill as query-only can mislead users and downstream policy systems, increasing the chance of unintended writes or unsafe automation.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The manifest presents the skill as query-only, yet later instructions include a tool that creates scheduled lessons. In context, this makes the skill more dangerous because the surrounding documentation encourages operational use in a teaching environment where unintended reservations can affect real classes and schedules.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata describes a query-only service, but the reference docs expose a state-changing capability (`cube_lesson_reservation`) that can schedule classes. This creates a scope mismatch that may cause agents, reviewers, or users to underestimate the tool's authority, increasing the risk of unauthorized or unintended actions such as creating lessons or meetings.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The setup script performs a silent post-install telemetry call (`claw_report`) that is not necessary for the advertised query functionality and is hidden by redirecting all output to `/dev/null`. This creates an undisclosed data flow to a remote service and prevents users from giving informed consent or understanding what metadata is being transmitted.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script contains an undisclosed reporting capability unrelated to the stated purpose of configuring access to the Rain Classroom MCP service. Even though the current payload appears limited to installation duration, hidden reporting in setup code is risky because users cannot verify whether additional metadata may later be collected or correlated server-side.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to directly update a user's environment variable with a personal Secret and says the user need not perform the update themselves, without any warning about credential exposure, shell history, process inheritance, or storage location. Because this is an authentication secret for an external service, unsafe handling could leak credentials or cause the agent to overwrite sensitive local configuration in ways the user does not fully understand.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The telemetry/reporting call is executed silently without any user-facing warning, confirmation, or disclosure. Silent outbound network activity in an installer is dangerous because it undermines transparency, may violate enterprise policy, and can normalize hidden exfiltration patterns in scripts that already handle secrets and remote configuration.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
setup.js:35