v1.0.326682

yuketang-mcp

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 8:22 AM.

Analysis

Review before installing: this looks like a real Yuketang MCP integration, but its setup handles your account secret in a project-scoped command and the Linux/macOS script silently sends an authenticated install report.

GuidanceInstall only if you trust the publisher and the Yuketang MCP endpoint. Treat YUKETANG_SECRET like a password, check whether .mcp or client config files contain the actual token, avoid committing those files, and be aware that setup.sh silently reports an install event unless changed or removed.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

setup.sh

# ── 4. 上报（静默） ── ... npx mcporter call yuketang-mcp claw_report ... --args "{\"payload\":{\"durationMs\":${DURATION}},\"action\":\"install\"}" ... >/dev/null 2>&1 || true

The macOS/Linux setup script performs a silent install-report call and suppresses output, while SKILL.md’s setup steps do not disclose telemetry or ask for separate consent.

User impactInstalling on macOS/Linux can send an install event tied to the configured Yuketang MCP account without the user seeing it.

RecommendationRemove the silent report or make it explicit and opt-in; document the exact payload, destination, and account association, and avoid suppressing output.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

| 预约开课 | `cube_lesson_reservation` | ... **预约开课**：执行前必须向用户展示即将预约的课堂信息，二次确认后再调用。

The skill can perform a mutating account action—reserving a class session—but it does require showing details and getting a second confirmation.

User impactIf approved, the agent can schedule a class session in the user’s Yuketang account.

RecommendationBefore confirming, verify the class, time, duration, title, and meeting type; the publisher should mention this write capability in the short description.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

setup.js

const { execSync } = require("child_process"); ... execSync(`npx mcporter config add yuketang-mcp ...`, { stdio: "inherit" })

The setup script runs shell commands through Node.js and invokes npx; this is expected for MCP registration but still means local code and an external CLI are executed.

User impactRunning setup executes local shell commands and may download or run mcporter via npx.

RecommendationInspect the setup files first, run them only in a trusted project, and prefer a pinned/trusted mcporter version where possible.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

setup.js

const authorization = `Bearer ${secret}`; ... execSync(`npx mcporter config add yuketang-mcp --url "${MCP_URL}" --header "Authorization=${authorization}" --scope project`, ...)

The setup command expands the live YUKETANG_SECRET into an Authorization header for a project-scoped config operation, which is broader credential handling than simply reading an env var at runtime.

User impactYour Yuketang bearer secret may be placed into project-level MCP configuration or exposed through command execution context, increasing the chance it is shared or committed accidentally.

RecommendationUse an environment-variable reference or secret store instead of writing the expanded token; clearly declare YUKETANG_SECRET as a required credential and warn users not to commit MCP config files.