ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Coursera Progress

v0.1.0

Fetch and display Coursera course enrollment, completion progress, grades, certificates, and upcoming deadlines using the Coursera API. Use this skill whenev...

0· 77·0 current·0 all-time
byThe Mooorish@elmoorish
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the actions in SKILL.md: it uses curl/python3 to call Coursera API endpoints and requires Coursera API credentials for personal data. However, the registry metadata shown to you has a parsing error ('Required env vars: [object Object]...') which does not match the SKILL.md; also the registry lists no primary credential while the skill clearly needs client credentials or an access token.
!
Instruction Scope
The instructions are scoped to Coursera endpoints (api.coursera.com and coursera.org) and show explicit curl commands. But SKILL.md marks COURSERA_ACCESS_TOKEN as optional (public lookup path B), yet the provided Python helper unconditionally reads os.environ['COURSERA_ACCESS_TOKEN'] (will raise if unset). That is an inconsistency that could cause runtime errors or lead an agent to prompt for/pull a token unexpectedly. Otherwise the instructions do not reference unrelated files or unexpected external endpoints.
Install Mechanism
This is instruction-only: no install spec, no code files are written to disk. Required binaries (curl, python3) are reasonable and proportional to the task.
!
Credentials
The SKILL.md legitimately needs COURSERA_CLIENT_ID and COURSERA_CLIENT_SECRET (to exchange for a token) and may use COURSERA_ACCESS_TOKEN. That set is proportionate to the task. However the registry metadata presented to you is malformed (envs show '[object Object]' entries) and there is no declared primary credential; these metadata issues make it unclear what the platform will ask you to supply. Also the helper code assumes an access token exists even though the doc calls it optional.
Persistence & Privilege
The skill is not always-enabled and has no install actions; it does not request persistent system privileges or write configuration. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors.
What to consider before installing
This skill's behavior (calling Coursera APIs with curl/python) is consistent with its description, but there are two issues to resolve before trusting it: (1) the registry metadata shown to you is corrupted — verify that the skill actually requests COURSERA_CLIENT_ID and COURSERA_CLIENT_SECRET (and whether COURSERA_ACCESS_TOKEN is required) in the installer UI; (2) the included Python helper assumes COURSERA_ACCESS_TOKEN is present even though the docs say it's optional, so the skill could prompt for or attempt to use a token unexpectedly. If you proceed, only provide credentials you intend to share: prefer using short-lived access tokens, review the token-exchange curl command before running it, and verify the only network endpoints contacted are api.coursera.com / coursera.org. If unsure, ask the skill author to fix the metadata and make the helper code check for the token before using it.

Like a lobster shell, security has layers — review code before you run it.

latestvk973z2dr8r473wbgqpqs8xj1vx83d90t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl, python3
Env[object Object], [object Object], [object Object]

Comments