Tmp.ZvBQwLjjXS
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could alter or delete classroom content, remove people, or change grades and submission states.
The skill exposes tools that can materially change Classroom courses, rosters, and student work outcomes. The artifacts do not describe explicit approval, scoping, or rollback requirements for these high-impact actions.
Courses | list / get / create / update / delete / archive / unarchive ... Students | list / get / add / remove ... Submissions | list / get / grade / return / turn-in / reclaim
Only use with explicit per-action confirmation for destructive or grading/roster changes, and limit it to the minimum necessary Google account permissions.
The agent may be able to perform broader Classroom actions than the named tools imply, increasing the chance of unintended account changes.
The documented escape hatch suggests raw or less-constrained Classroom operations beyond the dedicated tools, without explaining limits, validation, or user-approval requirements.
For guardians, guardian-invitations, materials, and assignee management, use `gog_classroom_run` (the escape hatch).
Avoid using the escape hatch unless the exact command and impact are reviewed by the user first.
A changed or compromised npm package could run with access to the user's authenticated Google Classroom environment.
The setup launches an external npm package without a version pin. Because the provided artifact set contains no code files, the runtime code handling the authenticated Classroom account is outside this review.
"command": "npx", "args": ["-y", "gogcli-mcp-classroom"]
Pin and verify the package version, review the package source before use, and run it under a least-privilege Google account.
The agent will operate through the selected Google account and may access or change Classroom data visible to that account.
The skill requires an authenticated Google account, which is expected for Classroom management but grants access to sensitive school and account data.
- [gogcli](https://github.com/steipete/gogcli) installed and authenticated ... "GOG_ACCOUNT": "you@gmail.com"
Use a dedicated, least-privileged account where possible and confirm which Google account is selected before performing actions.