School
v1.0.0AI-powered K-12 education with age-adapted learning, homework help, exam prep, parental controls, progress tracking, and curriculum support.
⭐ 3· 1.1k·6 current·6 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (K-12 tutoring, parental controls, progress tracking) matches the provided files and runtime instructions. It is instruction-only, requests no binaries, env vars, or external credentials, and declares a local workspace (~/school/) which is a reasonable way to keep user data for this purpose.
Instruction Scope
SKILL.md instructs the agent to create and manage a ~/school/ workspace containing per-child profiles, progress, calendars, uploaded materials, and config.md (family settings/PINs). The skill repeatedly asserts 'never collect' certain PII and 'parents cannot see conversation text,' yet it also says it stores 'session history (for continuity)' and allows uploads (e.g., textbook photos). The instructions do not specify how uploaded materials are processed (locally vs remote), what exactly is kept in 'session history', or how to implement secure handling of config (PINs). These gaps create ambiguity about what data is written, where it is sent, and how it is protected.
Install Mechanism
No install spec and no code/files to execute means the skill is instruction-only; this is the lowest-risk install mechanism. There is nothing being downloaded or extracted by the skill itself.
Credentials
The skill requests no environment variables or external credentials, which is proportionate. However, it implies storing sensitive runtime data (parent PINs, session history, progress, uploaded materials) under ~/school/ without specifying encryption, access controls, or secret handling. Safety.md claims 'Encrypted storage' and 'No third-party sharing' but provides no implementation details — a mismatch between claimed protections and operational instructions.
Persistence & Privilege
always:false (no forced inclusion) and normal autonomous invocation settings are appropriate. The skill does, however, instruct the agent to persist data on disk under ~/school/ (profiles, config.md, session history). Persisting parental PINs or configuration there without explicit secure storage guidance is a privacy risk. This persistence is expected for a tutoring app but the protection level is unspecified.
What to consider before installing
This skill appears to be a well-structured pedagogy/instruction bundle, but before installing or using it with real children you should clarify a few technical details. Ask the publisher or developer: (1) Where is uploaded/processed content handled — entirely local on your device or sent to a remote service? (2) Exactly what is stored in session history and config.md (are conversation transcripts stored?), where are those files located, and how long are they retained? (3) How are parental PINs and other sensitive settings protected at rest (encryption, OS keyring) and in backups? (4) What is the deletion/export policy for a child's data? (5) Confirm that the 'no photos of child' rule will be enforced (and whether uploads are scanned or blocked). If you cannot get clear answers and technical assurances (e.g., local-only processing, encrypted storage, documented retention/deletion), avoid using this skill with real child PII or consider running it only in a controlled/local environment where you can inspect/create the ~/school/ directory and verify files yourself.Like a lobster shell, security has layers — review code before you run it.
latestvk97138r3wyqgf6bsekg898xnsd815ase
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏫 Clawdis
OSLinux · macOS · Windows