EdStem
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its EdStem-sync purpose, but it ships with and asks users to store EdStem bearer tokens in source code and may fetch more forum data than the requested limit.
Review the scripts before use. Remove the bundled EdStem token, use a private environment variable or secret manager for your own token, rotate any token that was pasted into source code, and choose an output directory appropriate for private course data. Be aware that the Python script may save metadata for at least 50 threads even when a lower limit is requested.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill before replacing the token could access EdStem using someone else’s credential, and replacing it by editing the script can leave the user’s session token exposed in local files, backups, or forks.
This confirms the package ships with an EdStem bearer credential by default; the scripts then use ED_TOKEN as the Authorization bearer for API calls.
**Security:** The skill includes a bearer token by default. Users should: 1. Replace with their own token
Remove the bundled token, rotate any exposed token, and require users to provide credentials through a declared environment variable or secret store rather than editing source code.
A user who requests a smaller sync may still save more private course thread metadata than expected.
The documented limit is presented as the number of threads to fetch, but the code always retrieves and saves metadata for at least 50 threads.
parser.add_argument('--limit' ... help='Number of threads to fetch (default: 10)') ... threads = fetch_threads(course_id, limit=max(args.limit, 50)) ... json.dump(threads, f, indent=2)Honor the requested limit for all fetched/saved data, or clearly separate and document a larger metadata prefetch with an explicit option.
Student/staff names, questions, answers, and any instructions embedded in posts may be reused by an agent if the output directory is analyzed later.
The skill intentionally stores forum posts and suggests later LLM analysis, making user-generated course content persistent retrieved context.
**threads.json** - Full thread list with metadata ... **thread-XXX.md** ... Original post content ... All answers and comments ... "Summarize the most common questions in ./course-data/"
Store outputs only in an appropriate private directory, follow course privacy rules, and treat forum text as untrusted content when giving it to an LLM.
Installers or users may not get normal preflight warnings that this skill needs network API access, dependencies, and an EdStem credential.
The registry metadata does not declare the credential and runtime dependencies that the included documentation and scripts require.
Required binaries ... none; Required env vars: none; Primary credential: none; Install specifications: No install spec
Declare the EdStem credential, network/API usage, and dependencies such as requests, curl, and jq in the package metadata or install specification.