Magister 1
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: magister-1 Version: 1.0.5 The skill provides a functional CLI wrapper for the Dutch school portal Magister (magister.net) to retrieve student schedules, grades, and attendance records. The implementation in `magister.mjs` uses a standard OIDC implicit flow to authenticate against the official `accounts.magister.net` endpoint and includes a local token caching mechanism (`.token_cache.json`). No evidence of data exfiltration, malicious execution, or prompt injection was found; the code is well-structured and aligns strictly with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using the skill is allowing the agent to access private Magister information for the configured account.
The skill needs real Magister login credentials and can read grades and infractions. This is expected for the stated purpose, but it gives the agent access to sensitive school-account data.
"env":["MAGISTER_HOST","MAGISTER_USER","MAGISTER_PASSWORD"] ... node magister.mjs grades <aanmelding_id> [top] ... node magister.mjs infractions <id> <from> <to>
Use only credentials for accounts you are authorized to access, and consider whether the agent should see student grades, schedules, and absence/infraction details.
A local user or process with access to the skill directory may be able to read the cached access token while it is valid.
Access tokens are persisted locally in the skill directory and reused until they expire. This is a common convenience but means a credential-like token remains on disk.
const CACHE_FILE = join(DIR, '.token_cache.json'); ... cache[key] = token; saveCache(cache);
Keep the skill directory private, delete .token_cache.json when finished or if credentials change, and avoid sharing the directory with others.
Running the tests can invoke the Magister CLI against real accounts using environment variables or local .env files.
The static exec finding comes from the test harness spawning the local CLI with test credentials. It does not use shell interpolation and is not part of the SKILL.md command flow unless tests are deliberately run.
const result = spawnSync('node', [CLI, ...args], { ... env: { ...process.env, ...envVars }, timeout: 30_000 });Do not run the integration tests unless you intend to use the supplied Magister credentials for live portal calls.