Skillv1.1.1

ClawScan security

magister.net · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 17, 2026, 5:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions match its description: it needs your Magister host, username, and password to log into Magister and fetch schedule, grades, and infractions, and it only talks to Magister endpoints.
Guidance: This skill will use the MAGISTER_HOST, MAGISTER_USER, and MAGISTER_PASSWORD you provide to authenticate with accounts.magister.net and your school's Magister host and then fetch data. The included source (magister.mjs) is visible and performs those calls — there are no other network endpoints or hidden behaviors in the code. Before installing, consider: only supply credentials you trust this code to use; since the source/homepage is unknown, review the included magister.mjs yourself or only install if you trust the publisher; prefer using an account/password you can revoke or an app-specific credential if possible; avoid reusing your Magister password elsewhere. Autonomous invocation is allowed by default on the platform, but this skill doesn't require 'always' privilege and will only run when invoked.

Purpose & Capability: okName/description, required binaries (node), and required env vars (MAGISTER_HOST, MAGISTER_USER, MAGISTER_PASSWORD) align with the implemented functionality. The host restriction to *.magister.net is enforced in code.
Instruction Scope: okSKILL.md only instructs running node magister.mjs with specific commands. The script reads only the declared environment variables and performs HTTP(S) calls to accounts.magister.net and the provided magister host; it does not reference other files, config paths, or unrelated services.
Install Mechanism: okNo install spec — instruction-only with an included script. Nothing is downloaded or written at install time.
Credentials: okThe three required env vars are appropriate for the task (host, user, password). No unrelated credentials or extra secrets are requested.
Persistence & Privilege: okalways is false and the skill is user-invocable only. The skill does not attempt to modify other skills or system-wide settings.