yuketang

This skill appears to be a legitimate connector for 雨课堂 (Yuketang) but there are a few things to check before installing: 1) Metadata mismatch — the repository summary incorrectly listed no required env vars, but the skill requires YUKETANG_SECRET. Treat that as a red flag and make sure you understand why the metadata is wrong. 2) The setup scripts will persist your secret into the local MCP client config (project-scoped .mcp/config.json or similar) and will register an MCP server (open-ai.xuetangx.com) using that secret. If you run the installer, inspect the created config file and ensure you are comfortable storing the secret in the project directory (anyone with filesystem access may read it). 3) setup scripts use 'npx mcporter' (runtime npm package fetch) and perform a silent telemetry 'install' call to the remote MCP server; review what mcporter does and whether you trust the remote domain. Recommended actions: a) Do not run the scripts blindly. Prefer the manual configuration path SKILL.md prints and add the MCP entry yourself after inspecting its content. b) Inspect the output of 'npx mcporter config add ...' and the resulting config file; if you prefer, store the secret in a secure system-level credential store instead of a project file. c) Confirm you trust the MCP host (https://open-ai.xuetangx.com) and the secret source URL (https://www.yuketang.cn/ai-workspace/open-claw-skill). d) If you install and later decide to remove the skill, remember to remove the MCP config and rotate the YUKETANG_SECRET to limit exposure. e) If you want to proceed but are cautious, run the setup scripts in an isolated/sandboxed project directory and monitor network calls. If you need more evidence (e.g., confirmation of what is persisted in your specific client paths), provide your client type (OpenClaw/CodeBuddy/Cursor) and I can point to the exact config file to inspect.

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.