Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EdStem
v1.1.0Fetch, sync, and organize EdStem discussion threads for any course or institution. Use when checking for new EdStem posts, syncing course discussion forums,...
⭐ 0· 672·0 current·0 all-time
byaxel browne@axel5o5
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the code and SKILL.md: both Python and bash scripts call EdStem's API to list and fetch threads, format output, and differentiate staff vs student. No unrelated services or binaries are requested.
Instruction Scope
Runtime instructions stay within the stated purpose (fetching EdStem threads). The SKILL.md instructs users how to obtain a Bearer token via browser DevTools and to insert it into the Python script (ED_TOKEN), which is functional but insecure. Quick-start examples include a developer-specific path (/home/axel/...), indicating leftover local configuration.
Install Mechanism
No install spec (instruction-only) and included scripts are run locally. There are no downloads or external installers. This minimizes installer risk, but the included code will execute on the user's system when run.
Credentials
The skill declares no required credentials, yet both scripts contain a hardcoded ED_TOKEN value (same token in fetch-edstem.py and fetch-edstem.sh). Embedding an active bearer token in distributed code is a major mismatch and a sensitive secret leak: it exposes whoever owns that token and may let anyone running the scripts access that account's EdStem data. The SKILL.md/README instructs editing the script to paste your token instead of using environment variables, which is poor practice and inconsistent with typical credential handling.
Persistence & Privilege
The skill does not request persistent/always-on privilege and does not modify other skills or global agent configuration. It suggests user-managed automation (cron), which is a user action and not an automatic permission escalation by the skill itself.
What to consider before installing
Don't run this as-is. Both scripts include a hardcoded EdStem bearer token — that is a secret and its presence is a red flag. Before installing or running: 1) Treat the included token as compromised; do not use it. 2) Replace the ED_TOKEN usage with a secure pattern (read token from an environment variable or a permissioned config file) and remove any hardcoded token from the code. 3) If you are the owner of the included token, rotate/revoke it immediately. 4) If you don't know who published this skill, prefer to fork or copy the scripts locally, remove the hardcoded token, and audit the code (and any leftover developer-specific paths like /home/axel) before running. 5) Consider running fetches with a least-privilege token and avoid storing tokens in repo files; add any local token file to .gitignore. These steps will reduce the risk of unauthorized access or accidental data exposure.Like a lobster shell, security has layers — review code before you run it.
latestvk972hhap3sm2v7c2a6p8kghqdd81ak6r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.