ClawHub

Canvas LMS

v1.0.0

Access Canvas LMS (Instructure) for course data, assignments, grades, and submissions. Use when checking due dates, viewing grades, listing courses, or fetching course materials from Canvas.

5· 2.3k·3 current·3 all-time
byPranav Karthik@pranavkarthik10
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md gives legitimate Canvas REST API endpoints for courses, assignments, grades, and files. The actions described are coherent with the stated purpose.
Instruction Scope
The SKILL.md stays on-task: it only explains how to call Canvas API endpoints, how to include the Canvas token, how to handle pagination and responses, and how to parse results. It does not instruct the agent to read unrelated files or to transmit data to unknown endpoints.
Install Mechanism
Instruction-only skill with no install spec or codefiles. This has low installation risk because nothing is downloaded or written by an installer.
!
Credentials
The runtime instructions require a sensitive API token (CANVAS_TOKEN) and a Canvas instance URL (CANVAS_URL), but the registry metadata lists no required environment variables or primary credential. Requesting a bearer token is proportionate to the task, but the metadata omission is an inconsistency and a transparency problem. The SKILL.md also suggests storing the token in a .env file (which has persistence implications) without guidance about token scopes or least privilege.
Persistence & Privilege
always is false and the skill is user-invocable; nothing in the instructions requests elevated system privileges or modifications to other skills or system-wide configs. No persistent installers are present.
What to consider before installing
This skill appears to be a straightforward Canvas API helper, but the registry metadata does not declare the sensitive environment variables the SKILL.md asks you to set (CANVAS_TOKEN and CANVAS_URL). Before using or installing: 1) Verify the skill's source/owner (no homepage provided). 2) Create a Canvas API token with minimal scope (not an admin/global token) and use a revocable token you can delete later. 3) Prefer setting CANVAS_TOKEN only in a short-lived session environment rather than committing it to a shared ~/.env or repository. 4) Confirm CANVAS_URL points to your institution's official domain. 5) Ask the publisher to update the metadata to declare required env vars (so permission prompts are accurate). If you cannot verify the origin or cannot limit the token scope, do not install or provide your token.

Like a lobster shell, security has layers — review code before you run it.

latestvk976mtqsr4zpdvphbh3v31s8517zjkc7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments