ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openlesson

v1.0.2

Interact with the openLesson tutoring API to generate learning plans, start audio-based sessions, analyze reasoning gaps, and manage tutoring workflows.

2· 534·0 current·0 all-time
byuncertainsystems@dncolomer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (audio tutoring, plans, session analysis) align with the declared requirement (OPENLESSON_API_KEY) and the endpoints/instructions in SKILL.md. Nothing in the skill asks for unrelated credentials or system access.
Instruction Scope
SKILL.md instructs the agent to construct JSON/curl POSTs and to base64-encode audio chunks before POSTing to the analyze endpoint; it explicitly warns against sending text to the analyze endpoint and against using a browser tool. This is within scope, but note that the agent will transmit user audio (potentially sensitive) to an external API (https://www.openlesson.academy). The skill does not instruct reading local files or unrelated env vars.
Install Mechanism
Instruction-only skill with no install spec and no bundled code — minimal risk from installation. All runtime actions rely on standard shell tools (curl) presumed present.
Credentials
Only a single environment variable is required (OPENLESSON_API_KEY), which is appropriate for an API-binding skill. No other secrets or config paths are requested.
Persistence & Privilege
The skill does not request permanent presence (always:false), stores session IDs only in-memory for the conversation, and does not modify other skills or system-wide settings. Autonomous invocation remains enabled by platform default (normal).
Assessment
This skill appears coherent and only needs a single OPENLESSON_API_KEY. Before installing: verify you trust the openlesson.academy domain (there is no homepage/source listed in the metadata), because the agent will send user audio to that external service; avoid sending highly sensitive audio through the skill; use a dedicated API key you can revoke; confirm the URL used is exactly https://www.openlesson.academy (the SKILL.md warns redirects can strip the Authorization header); and, if you prefer tighter control, disable autonomous invocation or limit the skill's use to explicit (user-invoked) actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a82929a7y66tqge5hwdx64x81s0be

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments