Back to skill
Skillv1.1.0
ClawScan security
BilimClass · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 5, 2026, 2:24 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill mostly does what it says (talks to BilimClass APIs using JWTs you provide), but there are inconsistencies and a prompt‑injection signal in the SKILL.md that deserve closer review before you install or provide credentials.
- Guidance
- This skill appears to be an unofficial BilimClass client that needs your BilimClass JWTs and account IDs stored in ~/.openclaw/.env.json. That is coherent with its purpose, but do the following before installing: 1) Inspect the SKILL.md and scripts/bilimclass.py in a plain-text/hex editor for hidden (zero-width) characters or unexpected instructions (pre-scan flagged unicode control chars). 2) Only provide tokens if you trust the code — these JWTs grant access to your BilimClass account; the main token is long-lived. 3) Keep ~/.openclaw/.env.json private (file permissions 600) and ensure it is gitignored. 4) Confirm the script only calls the two BilimClass endpoints shown (api.bilimclass.kz and journal-service.bilimclass.kz) — no other external hosts should appear. 5) If unsure, run the Python script locally without installing as a skill and observe network calls (use a network monitor or sandbox) before enabling as an OpenClaw skill. 6) Ask the publisher to fix the metadata mismatch (registry vs SKILL.md) and explain why unicode control chars are present; absence of a clear explanation increases risk.
- Findings
[unicode-control-chars] unexpected: SKILL.md contained unicode control characters according to the pre-scan. These are not necessary to implement an API client and can be used to hide or obfuscate content or perform prompt injection. Inspect the SKILL.md and README for zero-width or control characters before trusting the instructions.
Review Dimensions
- Purpose & Capability
- noteName/description, README, SKILL.md, and the script all align: the skill reads a local OpenClaw .env.json entry and calls BilimClass schedule and journal APIs. However, registry metadata (no required env/config) does not match the SKILL.md's explicit requirement of ~/.openclaw/.env.json; that mismatch should be clarified.
- Instruction Scope
- concernInstructions ask you to extract sensitive tokens (localStorage.token and an Authorization header) via browser DevTools and store them in ~/.openclaw/.env.json — this is expected for an unofficial client but is inherently sensitive. Additionally, a pre-scan flagged 'unicode-control-chars' in SKILL.md (prompt‑injection pattern), which could be used to hide or manipulate text; the presence of such characters in the runtime instructions is suspicious and should be examined (open SKILL.md in a hex/clean-text viewer).
- Install Mechanism
- okInstruction-only skill plus a Python script; no install spec/downloading of arbitrary archives. Requires Python requests (checked at runtime). No remote install URLs or extracted archives were found.
- Credentials
- noteThe skill requests a set of BilimClass-specific tokens and IDs (token, journalToken, schoolId, eduYear, userId, studentSchoolUuid, studentGroups). These are proportional to the stated purpose. Note: registry-level metadata didn't list these requirements, but SKILL.md explicitly requires the ~/.openclaw/.env.json file with these fields. Tokens are long‑lived (main token ~1 year) — storing them in a file increases risk if the file isn't protected.
- Persistence & Privilege
- okThe skill does not request always:true, does not attempt to modify other skills or system settings, and only reads a local OpenClaw .env.json. No elevated persistence or cross-skill config changes detected.