ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Canvas LMS Student Skill

v0.1.1

Use when the user needs to interact with Canvas LMS as a student. Trigger phrases include "check my homework", "what's due", "download my lecture PDFs", "lis...

0· 42·0 current·0 all-time
by@efan404
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
stale
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match requested artifacts: CANVAS_BASE_URL, CANVAS_API_TOKEN, a config file path, and Python. All required env vars and the config file are coherent with a Canvas student read-only client.
Instruction Scope
SKILL.md and the scripts instruct the agent to call Canvas APIs, list courses/assignments, download files, and export calendars. The runtime instructions reference only the declared env vars and the declared config path. File downloads and writing .ics or saved outputs are expected behavior for this skill.
Install Mechanism
Registry metadata states 'No install spec — instruction-only', but the bundle contains Python scripts, a manifest with a setup_script/entry_point, a setup.sh, requirements.txt, and an entry wrapper.py. This mismatch means the registry may not auto-install dependencies or run setup.sh; conversely, some installers might run setup.sh. You should inspect setup.sh and wrapper.py before executing any install or setup steps. The code is bundled locally (no external downloads found), which lowers network-install risk, but local install scripts still can run arbitrary commands.
Credentials
Only two environment items are required: CANVAS_BASE_URL and CANVAS_API_TOKEN (primary credential) plus an optional config file path in the user's home directory. These are appropriate for the described Canvas operations and there are no unrelated credentials or broad permissions requested.
Persistence & Privilege
The skill does not request always:true or other elevated registry privileges. It reads/writes only its own config path (~/.config/canvas-lms/config.json) and writes downloaded files/exports to locations the user specifies; it does not modify other skills or global agent settings.
What to consider before installing
This bundle mostly looks coherent for a Canvas read-only tool, but take these precautions before installing or running it: 1) Inspect setup.sh and wrapper.py (and any other scripts) to confirm they only install Python packages and don't run unexpected shell commands. 2) Verify the package's source (the GitHub homepage) and check maintainer reputation and recent commits. 3) Limit exposure of your Canvas API token: prefer using a short-lived token or revoke it if you suspect misuse; consider using environment variables rather than storing the token in ~/.config unless you trust the machine. 4) Be aware the scripts will write files to disk (downloads and .ics exports); choose safe output paths and don't run as a privileged user. 5) Because registry metadata said 'instruction-only' but code and a setup script are present, assume the installer will not automatically install dependencies — run pip install -r requirements.txt in a controlled environment (e.g., virtualenv) after review. If you want higher assurance, request the author to clarify/install steps or review the full setup.sh/wrapper.py for any hidden commands. If you prefer not to trust the bundle, perform actions manually using the official canvasapi SDK and your token instead.

Like a lobster shell, security has layers — review code before you run it.

canvasvk9707n7g78tey1rdm6zvc85ta1847wr0educationvk9707n7g78tey1rdm6zvc85ta1847wr0latestvk9707n7g78tey1rdm6zvc85ta1847wr0lmsvk9707n7g78tey1rdm6zvc85ta1847wr0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎓 Clawdis
Any binpython3, python
EnvCANVAS_BASE_URL, CANVAS_API_TOKEN
Config~/.config/canvas-lms/config.json
Primary envCANVAS_API_TOKEN

Comments