Wilma
v1.4.1Access Finland's Wilma school system from AI agents. Fetch schedules, homework, exams, grades, messages, and news via the wilma CLI. Start with `wilma summar...
⭐ 3· 1.5k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the requested binaries and install: the skill requires the 'wilma' CLI (provided by npm package @wilm-ai/wilma-cli) and relies on a local Wilma config containing session credentials. These requirements are appropriate for a Wilma integration. Note: registry metadata at the top of the report lists no required config paths, but the SKILL.md declares ~/.config/wilmai/config.json as required — this is an inconsistency in metadata but not a functional mismatch with the skill's purpose.
Instruction Scope
The SKILL.md instructs the agent to run the wilma/wilmai CLI in non-interactive mode and to prefer --json output. It also documents use of a local config file and optional --totp-secret (TOTP secret) on the command line and recommends saving the TOTP secret in the local config via interactive setup. These instructions remain within scope for reading Wilma data, but they imply the agent (via the CLI) will access stored session credentials/TOTP secrets — a sensitive capability that users should be aware of. The SKILL.md does not instruct the agent to read arbitrary system files beyond the Wilma config or to transmit data to unexpected endpoints.
Install Mechanism
Install is an npm global package (@wilm-ai/wilma-cli) which produces the declared 'wilma' binary. This is proportionate for a CLI wrapper. Installing from npm is a moderate-risk action (code executed from registry); user should verify the package and its source (SKILL.md links a GitHub repo and wilm.ai site). The included wrapper script is straightforward and not malicious.
Credentials
The skill declares no environment variables and no remote credentials, which is consistent. However, the workflow requires a local config (~/.config/wilmai/config.json) that stores session credentials and possibly a saved TOTP secret; those are sensitive. The SKILL.md also suggests passing a TOTP secret on the command line (one-off), which exposes the secret to process lists and shell history — a security caveat but within the expected needs of MFA support.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not modify other skills or claim system-wide configuration changes. Its install writes a CLI binary (via npm) which is normal for a CLI integration.
Assessment
This skill is coherent: it wraps a Wilma CLI and expects a local Wilma config that stores session tokens/TOTP secrets. Before installing: (1) verify the npm package and linked GitHub repo (ensure @wilm-ai/wilma-cli is the legitimate project), (2) be aware the CLI stores session credentials and (optionally) TOTP secrets in ~/.config/wilmai/config.json — inspect that file and its permissions, (3) avoid passing TOTP secrets on the command line when possible (use interactive save or other secure storage) because command-line arguments can be exposed in process listings and shell history, (4) note the small metadata inconsistency about required config paths in the registry vs SKILL.md and confirm the agent/runtime will allow use of the local config, and (5) if you need stronger isolation, test the npm package in a sandbox before granting the agent access to real student accounts.Like a lobster shell, security has layers — review code before you run it.
latestvk971hj9tw5j8bwsn3e1asbarax82a3wx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binswilma
Install
Install Wilma CLI (npm)
Bins: wilma
npm i -g @wilm-ai/wilma-cli