Edsby Grades Board
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its Edsby and Google Calendar purpose, but it uses persistent login sessions/OAuth tokens and can write to Google Calendar without clear scoping or approval controls.
Review this skill carefully before installing. Use a dedicated Google Calendar if possible, confirm exactly where Edsby sessions and Google tokens are stored, verify OAuth scopes, and require approval before any calendar sync. Do not install unless you trust the skill to access student grade data and modify calendar events.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may retain and reuse logged-in Edsby and Google access, which could expose student records or allow calendar changes if misconfigured or invoked unexpectedly.
The code reuses a persistent browser session and local Google OAuth tokens, while the registry metadata declares no primary credential or required config paths. This is high-impact account/session access without clear scoping or retention controls.
BROWSER_CONTEXT_PATH: process.env.BROWSER_CONTEXT_PATH || path.join(process.env.HOME, '.openclaw/browser-contexts/edsby') ... const tokens = JSON.parse(fs.readFileSync('google-tokens.json', 'utf-8')); oauth2Client.setCredentials(tokens);Declare the required credentials and token/profile paths, document where sessions are stored, limit OAuth scopes, and provide clear setup and revocation instructions.
The skill could create duplicate, incorrect, or unwanted events in the user's Google Calendar, especially because it defaults to the primary calendar.
The tool directly inserts calendar events for assignments, and the daily-check tool chains fetching into syncing, but the artifacts do not show confirmation, duplicate detection, validation, or undo behavior.
await calendar.events.insert({ calendarId: config.GOOGLE_CALENDAR_ID, resource: event }); ... name: 'edsby_daily_check' ... await ... edsby_sync_assignments ...Require explicit user approval before writing events, default to a dedicated calendar, validate due dates, add duplicate prevention, and provide a clear way to review and remove generated events.
Installing the skill may pull dependency versions that differ over time, which can affect reliability and supply-chain reviewability.
The skill relies on external npm packages with version ranges rather than exact pins. These packages are expected for browser automation and Google Calendar integration, but the install/provenance details are incomplete.
"dependencies": { "playwright": "^1.41.0", "googleapis": "^128.0.0" }Pin dependency versions or provide a lockfile and document the installation process.