Exam Paper
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly aligned with exam-paper generation, but its question-bank scripts use subject names directly in file paths, which could let crafted inputs read or overwrite JSON files outside the intended data folder.
This skill appears intended for local exam generation and does not show network calls or credential use. Before installing, be aware that it persists question and wrong-answer data locally, requires the reportlab Python package, and should only import trusted question JSON files until subject/path validation is added.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted question-bank file or unusual subject name could cause the skill to modify files outside its advertised exam-data folder.
The subject value comes from imported JSON or command-line flags and is inserted into a filesystem path without validation or normalization. A value containing path separators or '..' could escape the intended questions/errors directory and read or overwrite unexpected .json files.
def _q_file(subject):
return os.path.join(Q_DIR, f"{subject}.json")
...
subject = incoming.get("subject", "general")
qfile = _q_file(subject)Restrict subject names to a safe slug format such as letters, numbers, underscores, and hyphens; reject slashes and '..'; and verify normalized paths stay inside the intended data directory before reading or writing.
Installing the dependency from an untrusted or unexpected package source could add supply-chain risk.
The required PDF library is disclosed, but the skill has no install spec or pinned dependency version, so users must manage installation provenance themselves.
生成PDF需要reportlab库(pip install reportlab)
Install reportlab from a trusted package index, preferably with a pinned version or verified environment.
The skill will run local Python code that reads and writes exam-related files.
The skill instructs the agent to run included local Python scripts. This is central to generating PDFs and managing the question bank, and no hidden or unrelated execution is shown.
python -X utf8 <skill_dir>/scripts/manage_bank.py export --subject informatics --count 15
Use the scripts only with trusted question JSON files and review output paths before running commands.
Stored questions or wrong-answer records may persist between sessions and influence future generated papers or reviews.
The skill intentionally stores reusable question-bank and wrong-answer data on disk. This persistence is disclosed and purpose-aligned, but future exams and reviews depend on the integrity of those stored JSON files.
所有题库和错题数据存储在 `~/.qclaw/workspace/exam-data/`
Keep the exam-data directory private and trusted, and review imported question banks before adding them.