ClawHub

yuketang

Security checks across malware telemetry and agentic risk

Overview

This Rain Classroom skill appears useful, but it mixes query access with lesson-reservation actions, credential setup, dynamic install tooling, and silent installation reporting that users should review before installing.

Install only if you are comfortable granting Rain Classroom account access and possible lesson-scheduling authority. Treat the Secret like a password, set it yourself through a secure local mechanism, and review or disable any setup steps that run npx or send post-install reports before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The skill is described as a query-only Rain Classroom helper, but the documentation also covers MCP server registration, secret-based connection setup, installation verification, and mentions install telemetry being reported remotely. This mismatch weakens informed consent: users may authorize or install a skill believing it is read-only while it also performs setup and external reporting behaviors not clearly disclosed in the primary description.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill advertises account/class query capabilities, but it also defines `cube_lesson_reservation`, which is a write/action operation that can change classroom state by scheduling lessons. A user or host system relying on the description may grant the skill access under the assumption that it is observational only, increasing the chance of unintended state-changing actions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill metadata says it provides query services for 雨课堂 accounts and classes, but this reference file documents an active state-changing capability to reserve/start lessons. That scope expansion is dangerous because an agent or reviewer relying on the declared description may authorize or expose a tool that can perform actions, increasing the risk of unintended scheduling or misuse of a teacher account.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The setup script executes `npx mcporter@0.8.1 ...`, which downloads and runs code from an external package at install/config time. That creates a supply-chain and arbitrary code execution risk on the user's machine, especially because the skill's stated purpose is only to provide Yuketang query access and does not inherently require executing third-party setup tooling.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script performs a post-install network call to `claw_report` and suppresses all output, so users are not informed that installation telemetry is being sent. Even though the payload shown is limited to duration, this exceeds the stated account/class query purpose and creates undisclosed data egress to a remote service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells users to place a personal Secret into an environment variable but does not clearly warn that the value is a sensitive credential that must not be shared, logged, pasted into chats, or stored insecurely. In an agent-assisted setup flow, this omission raises the risk of accidental credential disclosure to the assistant, shell history, screenshots, or other local processes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction says that when a user provides the secret, the agent should directly update the environment variable for them, without warning that this modifies local configuration and may persist the credential on the user's device. This creates a substantial risk of unsafe secret handling, persistence in shell profiles or process environments, and overbroad agent authority over a sensitive local configuration change.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The `npx mcporter ... call yuketang-mcp claw_report` invocation sends telemetry silently and redirects stdout/stderr to `/dev/null`, preventing users from noticing or auditing the outbound report. Silent reporting is dangerous because it undermines informed consent and can normalize hidden data transmission in setup scripts that already hold sensitive credentials.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal