hoseo-lms
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This LMS utility collects course data, but it also uses a student password to auto-play unwatched lectures, which may affect attendance or progress despite read-only framing.
Review the auto_attend behavior carefully before installing. Use the read-only scraper/summary features separately if that is all you need, avoid passing passwords on the command line, set strict lecture limits if you run playback automation, and confirm that automated lecture playback is allowed for your LMS account.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run without careful limits, the agent could play many LMS lectures and potentially change course progress or attendance-related state.
The skill documents broad automated playback behavior, including an all-lectures default and auto-resume behavior, on a logged-in LMS account.
`--limit-lectures` | `0` | int | Number of videos to play (0=all) ... Auto-resumes if video is paused or stalled
Only run auto_attend after explicit user approval, require a course and lecture limit, and confirm that automated playback is allowed by the LMS policy.
A user may trust the skill as a harmless reporting tool while it performs account actions that could affect academic records or violate LMS rules.
The read-only/no-attendance framing understates that the skill automates video playback in the LMS, which can have attendance or progress side effects even without an explicit grade or submission API call.
All operations are **user-initiated**, **read-only** ... **No Automatic Submission** ... Plays video with muted autoplay ... Auto-resumes if video is paused or stalled
Revise the description to clearly state that auto_attend automates LMS lecture playback and may affect attendance/progress; keep it separate from the read-only reporting workflow.
A student account password could be exposed locally or handled in a way users do not expect from the metadata.
The docs show passing the LMS password directly on the command line, which can expose it through shell history or local process listings; the registry metadata also declares no primary credential.
Play with direct credentials: `python3 src/auto_attend.py --id 20231234 --pw password --limit-lectures 4`
Avoid command-line password arguments; prefer a protected credentials file or an interactive prompt, and declare the required LMS credential in metadata.
Private academic information is stored locally and may be reused in later agent responses.
The README says the agent reads the persistent local data.json file to answer questions, and the schema includes courses, attendance, assignments, and quizzes.
`src/scraper.py`가 LMS에서 아래 데이터를 수집하면, OpenClaw 에이전트가 `data.json`을 읽어 질의에 응답합니다.
Keep ~/.config/hoseo_lms/data.json protected, delete it when no longer needed, and avoid sharing agent context that includes the report.
Different Playwright versions could be installed depending on the environment.
The dependency is a lower-bound range rather than a pinned version; this is common but gives less reproducible provenance for a browser automation dependency.
playwright>=1.40
Pin dependency versions or install from a trusted, reviewed environment before running the browser automation module.