ClawHub

Moodle Web Services Skill

v1.0.0

Integrate with Moodle 4.x via REST Web Services to create courses, manage enrollments, activities, grades, and list courses or students.

0· 646·0 current·2 all-time
by@exeandino
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match expected actions (create courses, enrollments, activities, grades) and those actions legitimately require a Moodle base URL and a web-service token. However, the registry metadata lists no required credentials or config paths even though the SKILL.md clearly states a token and base URL are required.
Instruction Scope
SKILL.md stays focused on Moodle REST operations and warns not to paste tokens into chat. It advises storing the token in a local file (~/.openclaw/workspace/secrets/moodle-ws.json) or an environment variable. The instructions do not explicitly tell the agent to read unrelated system files, but they do prescribe a specific local secrets path that is not declared in the metadata.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. There are no downloads or package installs to review.
!
Credentials
SKILL.md requires a Moodle Web Service token and a Moodle base URL, which are proportionate to the skill's purpose. The concern is that the registry metadata declares no required environment variables, primary credential, or config path despite the instructions recommending a secrets file path; this mismatch makes it unclear how the agent will obtain and protect the token at runtime.
Persistence & Privilege
The skill does not request always: true, does not claim persistent system-wide modifications, and is user-invocable. Autonomous invocation is allowed by default but not, by itself, a red flag here.
What to consider before installing
This skill appears to be aimed at valid Moodle REST tasks and legitimately needs a Moodle base URL and a Web Service token. Before installing: (1) confirm with the publisher how the agent will access the token at runtime (env var vs file) and why the registry metadata omits required credentials/config paths; (2) if you proceed, create a least-privilege Moodle token limited to only the needed capabilities and test in a non-production Moodle instance; (3) never paste tokens into chat — configure them in a secure, non-versioned location and verify the agent only reads the specific secret you provide; (4) because this is instruction-only (no code to audit), prefer installing only from a trusted source or ask the author for a signed/hosted package or clarified manifest before granting access.

Like a lobster shell, security has layers — review code before you run it.

apivk971kg0kyg1cr7q2ne9bb20na1815nvcautomationvk971kg0kyg1cr7q2ne9bb20na1815nvcexternalvk971kg0kyg1cr7q2ne9bb20na1815nvcintegrationvk971kg0kyg1cr7q2ne9bb20na1815nvclatestvk971kg0kyg1cr7q2ne9bb20na1815nvclmsvk971kg0kyg1cr7q2ne9bb20na1815nvcmoodlevk971kg0kyg1cr7q2ne9bb20na1815nvcrestvk971kg0kyg1cr7q2ne9bb20na1815nvcskillvk971kg0kyg1cr7q2ne9bb20na1815nvcwebservicesvk971kg0kyg1cr7q2ne9bb20na1815nvc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments