moodle
ReviewAudited by ClawScan on May 17, 2026.
Overview
This Moodle skill is mostly a read-only API helper, but it can send your Moodle token to a fixed default Moodle site if you forget to set MOODLE_URL.
Before installing, make sure you explicitly configure MOODLE_URL for your own Moodle instance and use a limited Moodle web-service token. If you have already run it without MOODLE_URL set, consider revoking and regenerating that token.
Publisher note
Access your Moodle LMS via the REST API. Check assignments, browse course content, and verify activity completion. Supports any Moodle instance — configure MOODLE_URL and MOODLE_TOKEN.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may contact your Moodle server and retrieve course, assignment, and completion information.
The skill tells the agent to run curl requests to Moodle. This is purpose-aligned and read-oriented, but users should know it will make external API calls.
Use the Moodle REST API (`curl`) to list courses, browse content, and check assignments.
Use it only with the Moodle instance you intend, and review broad listing requests if your course data is sensitive.
A Moodle token for another school or organization could be disclosed to the default site if the URL is not set correctly.
Only MOODLE_TOKEN is required, while the LMS URL falls back to a fixed host. If MOODLE_URL is omitted or misconfigured, the user's token is sent to that default Moodle endpoint.
"requires": { "env": ["MOODLE_TOKEN"], "bins": ["curl"] } ... `MOODLE_URL` defaults to `https://mylms.vossie.net` when unset. ... `--data-urlencode "wstoken=$MOODLE_TOKEN"`Set MOODLE_URL explicitly before use, preferably with a least-privilege Moodle token. The publisher should make MOODLE_URL required or remove the fixed default.