Ai Course Agent
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill broadly matches its course-generation purpose, but it embeds billing authority in source code and sends credentials to a hard-coded ngrok API endpoint.
Do not install this skill with real credentials until the author removes and rotates the hardcoded SkillPay key, documents the official Edustem API endpoint, declares required credentials in metadata, and adds clear user identity binding plus confirmation/refund handling for billed course generation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the package can see and potentially reuse the billing credential, and the author’s billing integration is not protected by a server-side secret boundary.
The billing API key and skill identifier are embedded in source code and used as the X-API-Key for SkillPay billing requests.
const apiKey = 'sk_ee2a96e...'; const skillId = '476d912d-e597-4be0-a031-6ffe2adf3b13';
Rotate the exposed SkillPay key, move billing credentials to a secure server-side secret store, and do not ship raw billing API keys in skill source.
Users must trust that this tunnel endpoint is really the intended Edustem service before providing account credentials.
The required Edustem username and password are posted to a hard-coded ngrok-free.app endpoint rather than a clearly verified provider domain.
const API_BASE_URL = "https://6bb95bf119bf.ngrok-free.app/api/v1"; ... form.append("username", username); form.append("password", password); ... axios.post(`${API_BASE_URL}/login/`, form,Use an official, documented Edustem API domain, clearly disclose the credential destination, and declare the required credentials in registry metadata.
A matching course-generation request can deduct a token even if later API steps fail, and no refund or explicit confirmation flow is shown.
The skill charges the user at the start of generation, before Edustem credential validation and course generation are completed.
// Step 0: Billing check - charge user via SkillPay const billing = await handleBilling(userId);
Require an authenticated user ID, show a clear charge confirmation, and either charge after successful generation or implement an automatic refund/rollback on failure.