Canvas LMS
PassAudited by ClawScan on May 1, 2026.
Overview
This is a straightforward instruction-only Canvas API helper, but it requires a Canvas token that can read sensitive school account data.
This skill appears benign and purpose-aligned for reading Canvas information. Before using it, be comfortable granting the agent access to your Canvas token and the data it can read, especially grades, inbox messages, submissions, and course files. Verify the Canvas URL is your school’s real domain and store or revoke the token carefully.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill can expose Canvas profile, courses, assignments, grades, submissions, course files, and inbox data to the agent session.
The skill requires a Canvas bearer token and sends it in authenticated API requests. This is expected for the stated Canvas LMS purpose, but it grants access to the Canvas account data available to that token.
Generate an API token in Canvas... export CANVAS_TOKEN="your_token_here" ... curl -s -H "Authorization: Bearer $CANVAS_TOKEN"
Use a Canvas token only for the intended account, verify the CANVAS_URL domain, store the token securely, avoid committing .env files, and revoke the token when it is no longer needed.
Users may not realize from the registry metadata alone that the skill needs a Canvas API token and Canvas URL.
The registry metadata does not declare the CANVAS_TOKEN and CANVAS_URL setup described in SKILL.md. This is a disclosure/configuration gap, not hidden code behavior.
Required env vars: none; Env var declarations: none; Primary credential: none
The skill metadata should declare CANVAS_TOKEN, CANVAS_URL, and the Canvas API token requirement so users see the credential dependency before reading the full instructions.