Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Iserv
v0.1.0HTTP client for IServ school platforms. Log in to an IServ instance (e.g. https://grabbe-dt.de) and fetch common student data like unread mail counts, calendar events, files/folders, tasks/exercises, announcements/news, and other IServ modules via HTTP endpoints. Includes best-effort file ops + exercise submission.
⭐ 0· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name, description, SKILL.md, and the included scripts/iserv.py are coherent: this is an HTTP client for IServ that also uses IMAP/SMTP for mail operations and implements file and exercise ops. However, the registry metadata claims no required environment variables or primary credential, while SKILL.md and the code clearly require ISERV_BASE_URL, ISERV_USER, and ISERV_PASS (and support profile-prefixed env vars). That mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md limits runtime actions to logging into an IServ instance and calling endpoints (mail, calendar, files, messenger, exercises). It instructs the user to provide credentials via env vars and shows explicit CLI commands. The only minor scope note: debugging guidance asks the user to capture HTML of exercise pages after login (which may contain sensitive content) — that is a user-facing troubleshooting step, not an automatic exfiltration, so treat captured outputs as sensitive.
Install Mechanism
No install spec is provided (instruction-only skill with an included script). That reduces install-time risk because nothing is downloaded from external URLs during installation. The bundled Python script will run when invoked; review code before execution.
Credentials
The skill requires credentials to access an IServ instance (ISERV_BASE_URL, ISERV_USER, ISERV_PASS, and optional profile-prefixed variants), but the registry metadata does not declare these env vars or a primary credential. This omission is a red flag because users may not be warned that they must supply sensitive credentials. The code also uses IMAP/SMTP connections derived from the base host (mail operations), which is consistent with the stated functionality but increases the sensitivity of the credentials in use. No unrelated credentials are requested, but the declared metadata should match reality.
Persistence & Privilege
The skill is not configured as always:true and does not request system-wide persistence. It does not include an install script that modifies other skills or agent settings. Autonomous invocation is allowed (platform default), which is expected for skills.
What to consider before installing
This skill contains a runnable Python client that will log into an IServ instance and may access mail (IMAP), send mail (SMTP), list and upload files, and submit exercises — so it needs your IServ URL plus username/password (or profile-prefixed equivalents). Before installing or running: 1) Do not use high-privilege/admin credentials; create/use a limited test account if possible. 2) Verify the registry metadata is corrected (it should declare ISERV_BASE_URL, ISERV_USER, ISERV_PASS as required). 3) Manually inspect scripts/iserv.py for any hard-coded external endpoints or unexpected network calls (the bundle appears to use only the target IServ host and standard mail protocols). 4) Run the script in an isolated environment or with network restrictions if you are concerned about exposing real student data. If the publisher cannot explain the metadata mismatch, treat the package with caution.Like a lobster shell, security has layers — review code before you run it.
latestvk978yvxqn165kmvax6yy4k48m980x0t7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.