student-rooms
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches a student-housing monitoring purpose, but it relies on an unreviewed external CLI and can start background monitoring, OpenClaw agent alerts, and cron jobs without clear stop or cleanup controls.
Before installing or using this skill, verify the actual student-rooms CLI code because it is not included here. Do not let the agent start watch mode, create cron jobs, or trigger OpenClaw agent sessions unless you explicitly want ongoing automation and know how to stop and remove it. Use trusted notification endpoints and protect any Telegram bot token you configure.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may depend on local code that was not reviewed as part of this skill package.
The skill instructs use of a local CLI and virtual environment, but the evaluated package contains only SKILL.md and no install spec or code for that CLI.
cd /path/to/student-rooms-cli source .venv/bin/activate
Only use this with a CLI installation you trust, and verify the local repository or package before letting an agent run its commands.
A monitoring process could continue running and sending alerts after the immediate conversation unless the user knows how to stop it.
The skill explicitly encourages a long-running background process, but does not document how the user approves, stops, supervises, or cleans it up.
Use `watch` as a background process for ongoing monitoring.
Require explicit user confirmation before starting watch mode, run it only in a visible/supervised session, and document stop and cleanup steps.
The skill could create scheduled follow-up automation that acts later outside the user’s immediate view.
Cron-job creation is persistent scheduled behavior, and the artifact does not define what the job runs, where it is installed, how long it remains, or how to remove it.
Optional: `create_job_on_match: true` creates a one-shot cron job for reservation assistance.
Do not enable cron-job creation unless the exact job command, schedule, permissions, and removal procedure are shown to and approved by the user.
Room-availability details and configured alert context may be shared with another agent session.
The skill can pass alert context into another OpenClaw agent session; this is purpose-aligned for alerts but is an inter-agent data flow users should notice.
**agent**: Triggers an OpenClaw agent session with the alert as context.
Use the simpler message notification mode unless an agent follow-up is needed, and confirm what context will be passed to the new session.
Accommodation alerts may be delivered to third-party services or chat destinations configured by the user.
The skill supports sending notifications to external webhook and Telegram destinations, which is expected for alerts but sends data outside the local agent environment.
| `webhook` | `notifications.webhook.url` | Any HTTP endpoint (Discord, Slack, ntfy.sh) | | `telegram` | `notifications.telegram.bot_token` + `chat_id` | Telegram bot |
Use trusted notification endpoints and avoid including unnecessary personal details in alert messages.
Local state may remain after scans and could affect future monitoring results.
The skill stores local state about previously seen accommodation options; this is proportionate for deduplication, but the artifact does not specify the storage path or retention.
Alerts only on **new** options not previously seen. Persists seen options locally to avoid duplicate alerts.
Document where seen-option state is stored and provide a clear reset or cleanup command.
If configured, the agent will need access to a Telegram bot credential to send alerts.
Telegram notification support requires a bot token; this is expected for the integration, and the artifact does not show hardcoding or leakage.
`notifications.telegram.bot_token` + `chat_id`
Store notification credentials securely and use a dedicated bot token with the minimum access needed.