ClassCharts
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following these instructions too broadly could change a ClassCharts account password or spend a student's reward balance without the user clearly approving the exact action.
The skill documents account password changes and includes a quick example that purchases the first rewards-shop item, but it does not require explicit user confirmation or a user-selected item before these mutating actions.
| `changePassword(current, new)` | Change parent account password | ... const purchase = await client.purchaseReward(rewards.data[0].id);
Only allow password changes or reward purchases after explicit user confirmation, and require the user to specify the target account, pupil, item, and intended change.
Anyone with these credentials could access homework, behaviour, attendance, detentions, announcements, and related pupil information available to the account.
The skill requires ClassCharts login credentials and, for student login, a student code plus date of birth. This is disclosed and expected for the integration, but it grants access to sensitive school and pupil data.
env: - CLASSCHARTS_EMAIL - CLASSCHARTS_PASSWORD - CLASSCHARTS_CODE ... Student logs in with ClassCharts code and date of birth.
Store credentials only in environment variables or a secret manager, avoid putting them in prompts or logs, and use the least-privileged account needed.
A compromised or changed package version could affect how credentials or ClassCharts data are handled.
The skill relies on an unpinned third-party npm package for an unofficial API. This is central to the skill's purpose, but users are depending on that package's integrity and future updates.
install: npm install classcharts-api ... The API is unofficial.
Pin and review the package version before use, and install it only from a trusted npm registry or reviewed source.