homework-grade

v1.0.0

Automatically downloads student homework from QQ email, unzips files, performs AI grading based on templates, and generates an Excel grade report.

⭐ 0· 118·0 current·0 all-time

by@yaouuu

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yaouuu/homework-gader-skill.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "homework-grade" (yaouuu/homework-gader-skill) from ClawHub.
Skill page: https://clawhub.ai/yaouuu/homework-gader-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install homework-gader-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install homework-gader-skill

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The code implements the advertised functionality (IMAP download from QQ, unzip, AI grading, Excel output). However, the implementation requires an OpenAI API key (OPENAI_API_KEY) and expects local template files, neither of which are declared in the skill metadata (requires.env is empty and templates are not bundled). requirements.txt omits the openai client. These are legitimate needs for AI grading but should be declared; omission is an incoherence.

Instruction Scope

The instructions say '调用AI评分' but do not disclose that the full student code will be sent to an external AI provider. The code reads all .py files and sends them to OpenAI. The skill also writes attachments to disk, extracts zip archives with zip_ref.extractall (no sanitization), and executes student .py files via subprocess.run — all of which expose the environment to untrusted input. The SKILL.md does not warn about these behaviors or recommend sandboxing.

ℹ

Install Mechanism

There is no install spec (instruction-only in registry), but the bundle includes code and a requirements.txt. requirements.txt lists pandas and openpyxl but omits the openai dependency required by the code. This mismatch means the runtime may fail or the operator may implicitly install additional packages, which increases risk.

Credentials

The skill accepts email_user and email_auth_code as inputs (appropriate for IMAP access). However, the ai_grader module expects OPENAI_API_KEY via environment variable but the skill metadata does not declare this credential. That omission is significant because student source code will be sent to a third-party API using that key. No other unrelated credentials are requested, but the undeclared API key and unannounced external transmission are disproportionate to what the SKILL.md communicates.

✓

Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide settings. It stores files under data/... within the skill workspace. Persistence and privilege level are reasonable for the task, but combined with execution of untrusted code this still poses runtime risk.

What to consider before installing

This skill mostly does what it says, but there are several red flags you should resolve before using it with real student data or credentials: - Undeclared OpenAI usage: The grader reads student code and calls OpenAI via OPENAI_API_KEY, but that key is not declared in the skill metadata and not listed in requirements.txt. Ask the author to declare OPENAI_API_KEY as a required credential and add the openai package to requirements. - External data exfiltration: Student source files are sent to an external AI provider (OpenAI). If student code is sensitive/personal, obtain consent or avoid sending it externally. - Executing untrusted code: The skill runs student .py files with subprocess.run. This can run arbitrary malicious code. Only run in an isolated, ephemeral sandbox/container with no sensitive network/filesystem access. - Unsafe zip extraction: zip_ref.extractall is used without sanitizing paths (zip-slip). Ensure filenames are sanitized or extract inside a strict sandbox. - Missing templates/resources: template_manager returns templates/assignment_{id}, but no templates are bundled. Confirm where templates come from and ensure they are trustworthy. Recommended actions before installing or running: 1) Require the author to update skill.yaml to declare OPENAI_API_KEY and add openai to requirements.txt; document that student code will be sent to OpenAI. 2) Run the skill in a locked-down container or VM (no network or limited network) until you validate behavior. 3) Inspect or provide the templates directory, and consider local-only grading if you cannot allow external AI calls. 4) Patch code to validate zip entries and avoid path traversal; do not run student code on the host—use sandboxing/time/resource limits and consider static analysis instead of execution. 5) If you must use it, use a throwaway QQ account and rotate its auth code afterwards. Given these gaps and risky behaviors, treat the skill as suspicious until the author addresses the above points.

Like a lobster shell, security has layers — review code before you run it.

latestvk97as4fxycpmv8bhh7kw5490gx83s5r7

118downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

📚 Homework Grader Skill

🧠 功能简介

自动从QQ邮箱下载学生作业（zip），解析学生信息，基于模板进行AI评分，并生成成绩Excel。

🎯 使用场景

教师通过QQ邮箱收作业，学生按格式提交：

姓名-学号-第几次作业.zip

系统自动：

下载附件
解压作业
匹配模板
AI评分 + 评语
生成Excel成绩表

📥 输入参数（Inputs）

参数名	类型	必填	说明
assignment_id	int	✅	作业编号（第几次作业）
email_user	string	✅	QQ邮箱账号
email_auth_code	string	✅	QQ邮箱授权码

📤 输出结果（Outputs）

参数名	类型	说明
excel_path	string	生成的成绩Excel路径

⚙️ 执行流程（Workflow）

1. 连接QQ邮箱（IMAP）
2. 获取未读邮件附件
3. 筛选zip文件
4. 解析文件名（姓名-学号-作业）
5. 解压文件
6. 加载对应作业模板
7. 调用AI评分
8. 汇总成绩
9. 生成Excel

Comments

Loading comments...