Skillv2.0.0

ClawScan security

Moodle Connector · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 30, 2026, 12:22 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code implements a Moodle connector as described, but there are several incoherences and unsafe defaults (undeclared required env vars, hard-coded 'test-pass' password, plaintext token storage, and at least one code bug) that you should understand and fix before using it with real credentials.
Guidance: This skill appears to implement the advertised Moodle features but has several red flags you should address before using it with real credentials: 1) The registry metadata lists no required env vars but the SKILL.md and code require SSO client IDs/secrets and an encryption password — assume you must supply them. 2) Do NOT store MOODLE_CRED_PASSWORD or client secrets in plaintext config files (the README currently suggests adding them to claude_desktop_config.json); instead provide them via a secure secret store or prompt at runtime. 3) The code includes insecure defaults: mcp_server.py and batch_downloader.py use a hard-coded 'test-pass' password which will fail to decrypt real credentials and is a security risk if left in production. Change/remove hard-coded defaults. 4) config.json can hold a Moodle web_service_token in plaintext — prefer encrypted storage or environment-based injection. 5) There is at least one obvious bug: batch_downloader.py uses os.getenv but does not import os (will crash). 6) Playwright will download browser binaries at install time — review network activity and run in an isolated environment if you test. 7) The source is listed as unknown/homepage none in the registry snapshot; verify the upstream repository and author before trusting or running. Recommended actions: review the code yourself (or have a developer do so), remove hard-coded passwords, avoid putting secrets into persistent plaintext config, test in a sandbox container, and only then run with real credentials.

Review Dimensions

Purpose & Capability: noteThe files implement a Moodle REST client, SSO flows, batch downloader, and an MCP server — which matches the skill name/description. However the registry metadata declares no required env vars or primary credential while the SKILL.md and code require SSO client secrets and an encryption password (MOODLE_CRED_PASSWORD). That mismatch is unexpected and reduces confidence in the metadata.
Instruction Scope: concernSKILL.md instructs installing Playwright and running browser-based SSO, storing an encryption password in claude_desktop_config.json, and putting tokens in config.json. The code will drive a browser, make network calls to Moodle and Microsoft login endpoints, save encrypted credentials to disk, and can be run as an MCP server. Instructions also recommend placing the encryption password in a config file (plaintext) — this exposes the key used to decrypt stored credentials. There are no instructions to avoid leaking that password, and the README suggests automation (Tampermonkey/CI) that could persist credentials.
Install Mechanism: noteThere is no platform install spec in the registry (instruction-only), but package.json and SKILL.md instruct using pip and Playwright. Dependencies come from PyPI (requests, cryptography, playwright, mcp) and Playwright will fetch browser binaries. This is expected for a browser-driven SSO tool but does perform network downloads at install-time; no obscure or remote single-file download URLs were used.
Credentials: concernThe skill legitimately needs SSO client IDs/secrets and an encryption password, and the SKILL.md documents these env vars. However the registry lists no required env vars. More importantly: (1) the code and SKILL.md encourage storing the encryption password in claude_desktop_config.json (plaintext), (2) config.json is used to store the Moodle web_service_token in plaintext, and (3) multiple places use a default/hard-coded password 'test-pass' (mcp_server.py and batch_downloader.py), which is insecure and inconsistent with SKILL.md's MOODLE_CRED_PASSWORD guidance. These practices increase the risk of credential exposure.
Persistence & Privilege: okThe skill is not force-included (always:false) and does not request system-wide privileges. The MCP server runs over stdio and does not modify other skills' configurations. Autonomous invocation (disable-model-invocation:false) is the platform default and is not by itself flagged. The main concern is user-provided configuration that may persist secrets.