Moodle Web Services Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Moodle administration purpose, but it can change courses, enrollments, activities, and grades using a powerful Moodle token without enough declared scope or guardrails.
Before installing, make sure you can provide a dedicated, least-privilege Moodle Web Service token, preferably for a test environment first. Require the agent to show exactly which courses, users, activities, or grades it will change and ask for confirmation before any write operation.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overbroad instruction could create or alter courses, enrollments, activities, or grades in a Moodle site.
These are high-impact write operations against Moodle academic and administrative records, but the artifact does not define approval, scoping, validation, dry-run, or rollback requirements before making changes.
- Crear curso - Inscribir / desinscribir usuarios - Crear / actualizar actividades: - Quiz - Assignment - Forum - Enviar calificaciones
Require explicit user confirmation for every write action, limit each request to named courses/users, test in a sandbox first, and document rollback or audit steps.
If a broad Moodle token is used, the agent may have authority to make significant site or course changes beyond what the user intended for a specific task.
The skill requires a Moodle token with administrative capabilities, while the provided metadata declares no primary credential or required environment variables; the artifact recommends limited tokens but does not concretely bound the privilege scope.
Token de Web Service con los permisos adecuados (role con capabilities para: crear cursos, gestionar matriculaciones, gestionar actividades, gestionar notas).
Declare the credential requirement, use a dedicated least-privilege token restricted to the needed Moodle functions and courses, and avoid using full administrator tokens.