openlesson
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent openLesson API integration, but it requires an API key and sends user audio to an external tutoring service.
This appears safe to install if you intend to use openLesson through its API. Before using it, set OPENLESSON_API_KEY securely, verify that https://www.openlesson.academy is the intended service endpoint, and avoid sending audio that contains private information unless you are comfortable with the provider processing it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run curl-style API requests to openLesson as part of tutoring workflows.
The skill asks the agent to use shell commands for HTTP API calls. This is disclosed and purpose-aligned, but it means the agent may make external network requests when the user uses the skill.
You only need shell tools (e.g., curl) to make API calls to openLesson.
Use the skill only when you intend the agent to contact the openLesson API, and review sensitive inputs before sending them.
Anyone or anything with access to the API key could act against the user's openLesson API account within that key's permissions.
The skill requires a bearer API key for the user's openLesson account. This is expected for the service integration, but it is sensitive account access and is under-declared by the registry metadata.
This skill requires an API key for the openLesson API: - Environment variable: `OPENLESSON_API_KEY`
Store OPENLESSON_API_KEY securely, avoid pasting it into prompts, and rotate or revoke it if exposed.
Spoken content submitted for tutoring may be processed by the openLesson service and reflected back as transcripts or summaries.
The documented workflow sends user audio to the external openLesson API and receives a transcript/analysis response. This is core to the audio tutoring purpose, but it is a sensitive data flow.
"audio_base64": "base64-encoded-audio-data" ... "transcript": "transcribed audio..."
Do not submit private or regulated audio unless you are comfortable with openLesson processing it; check the service's retention and privacy terms.