Magister 1
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to match its stated Magister-reading purpose, but it requires real school-portal credentials and stores a local access-token cache.
This skill is reasonable for fetching Magister schedules, grades, and infractions, but only install it if you are comfortable giving the agent access to that school portal account. Protect the required environment variables, avoid running the included integration tests unless needed, and delete .token_cache.json if you want to clear cached access.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is allowing the agent to access private Magister information for the configured account.
The skill needs real Magister login credentials and can read grades and infractions. This is expected for the stated purpose, but it gives the agent access to sensitive school-account data.
"env":["MAGISTER_HOST","MAGISTER_USER","MAGISTER_PASSWORD"] ... node magister.mjs grades <aanmelding_id> [top] ... node magister.mjs infractions <id> <from> <to>
Use only credentials for accounts you are authorized to access, and consider whether the agent should see student grades, schedules, and absence/infraction details.
A local user or process with access to the skill directory may be able to read the cached access token while it is valid.
Access tokens are persisted locally in the skill directory and reused until they expire. This is a common convenience but means a credential-like token remains on disk.
const CACHE_FILE = join(DIR, '.token_cache.json'); ... cache[key] = token; saveCache(cache);
Keep the skill directory private, delete .token_cache.json when finished or if credentials change, and avoid sharing the directory with others.
Running the tests can invoke the Magister CLI against real accounts using environment variables or local .env files.
The static exec finding comes from the test harness spawning the local CLI with test credentials. It does not use shell interpolation and is not part of the SKILL.md command flow unless tests are deliberately run.
const result = spawnSync('node', [CLI, ...args], { ... env: { ...process.env, ...envVars }, timeout: 30_000 });Do not run the integration tests unless you intend to use the supplied Magister credentials for live portal calls.