Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Moodle Claw
v1.1.0Interact with Moodle LMS to browse courses, access learning materials, and answer questions about course content.
⭐ 0· 74·0 current·0 all-time
byRomain Mellaza@4strium
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name and description match the actions described in SKILL.md (listing courses, downloading files, extracting PDF text). The skill asks the user to install a moodle-claw CLI binary which is consistent with a CLI-based integration. Minor inconsistency: registry metadata showed no homepage/source, while SKILL.md includes a GitHub repository and release URL — likely an oversight but worth confirming.
Instruction Scope
Runtime instructions are limited to installing the CLI, running its commands, and configuring Moodle access. They explicitly instruct users to provide a token, SSO redirect URL, or username/password. The SSO method instructs the user to copy a moodlemobile:// token URL from the browser network console — this is sensitive but consistent with known Moodle mobile token retrieval approaches. The instructions do not ask the agent to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
The skill directs downloading a single binary from a GitHub releases URL and verifies a SHA256 checksum before chmod +x. Using GitHub releases with a checksum is reasonable, but direct binary download and execution is inherently higher risk than installing from a tracked package manager or building from source. Confirm the release, checksum, and repository history before running the binary.
Credentials
The skill declares no environment variables or platform credentials, and the configuration prompts (token or username/password for the target Moodle instance) are proportional to the task of connecting to an LMS. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated platform privileges or claim to modify other skills. Installing the binary will create an executable on the host, but the skill itself does not request system-wide privileges beyond that.
Scan Findings in Context
[NO_CODE_FILES] expected: The skill is instruction-only (only SKILL.md present). The regex-based scanner had no code files to analyze; this is expected for an instruction-only skill but means there's no static code review of the binary the skill instructs you to download.
Assessment
This skill appears to do what it says (a CLI client for Moodle) but it requires you to download and run a third-party binary and to provide Moodle credentials or an SSO token. Before installing: 1) Verify the GitHub repository and release page referenced in SKILL.md (inspect source, release notes, and recent commits). 2) Manually verify the SHA256 checksum from the release page matches the one in SKILL.md (or better: fetch the checksum from the repo/release metadata). 3) Prefer obtaining an API token from your Moodle admin rather than entering username/password; when using the SSO method, be careful copying tokens from your browser devtools and understand they can grant access to your account. 4) If possible, run the binary in a restricted/sandboxed environment first (or build from source) to reduce risk. 5) Note the registry metadata omitted homepage info — confirm the upstream project identity before trusting the binary.Like a lobster shell, security has layers — review code before you run it.
latestvk9739m2ham2p2a4a08mt6rtee183p92n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.