ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Moodle Claw

v1.1.0

Interact with Moodle LMS to browse courses, access learning materials, and answer questions about course content.

0· 138·0 current·0 all-time
byRomain Mellaza@4strium

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for 4strium/moodle-claw.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Moodle Claw" (4strium/moodle-claw) from ClawHub.
Skill page: https://clawhub.ai/4strium/moodle-claw
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install moodle-claw

ClawHub CLI

Package manager switcher

npx clawhub@latest install moodle-claw
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name and description match the actions described in SKILL.md (listing courses, downloading files, extracting PDF text). The skill asks the user to install a moodle-claw CLI binary which is consistent with a CLI-based integration. Minor inconsistency: registry metadata showed no homepage/source, while SKILL.md includes a GitHub repository and release URL — likely an oversight but worth confirming.
Instruction Scope
Runtime instructions are limited to installing the CLI, running its commands, and configuring Moodle access. They explicitly instruct users to provide a token, SSO redirect URL, or username/password. The SSO method instructs the user to copy a moodlemobile:// token URL from the browser network console — this is sensitive but consistent with known Moodle mobile token retrieval approaches. The instructions do not ask the agent to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
The skill directs downloading a single binary from a GitHub releases URL and verifies a SHA256 checksum before chmod +x. Using GitHub releases with a checksum is reasonable, but direct binary download and execution is inherently higher risk than installing from a tracked package manager or building from source. Confirm the release, checksum, and repository history before running the binary.
Credentials
The skill declares no environment variables or platform credentials, and the configuration prompts (token or username/password for the target Moodle instance) are proportional to the task of connecting to an LMS. No unrelated credentials or config paths are requested.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request elevated platform privileges or claim to modify other skills. Installing the binary will create an executable on the host, but the skill itself does not request system-wide privileges beyond that.
Scan Findings in Context
[NO_CODE_FILES] expected: The skill is instruction-only (only SKILL.md present). The regex-based scanner had no code files to analyze; this is expected for an instruction-only skill but means there's no static code review of the binary the skill instructs you to download.
Assessment
This skill appears to do what it says (a CLI client for Moodle) but it requires you to download and run a third-party binary and to provide Moodle credentials or an SSO token. Before installing: 1) Verify the GitHub repository and release page referenced in SKILL.md (inspect source, release notes, and recent commits). 2) Manually verify the SHA256 checksum from the release page matches the one in SKILL.md (or better: fetch the checksum from the repo/release metadata). 3) Prefer obtaining an API token from your Moodle admin rather than entering username/password; when using the SSO method, be careful copying tokens from your browser devtools and understand they can grant access to your account. 4) If possible, run the binary in a restricted/sandboxed environment first (or build from source) to reduce risk. 5) Note the registry metadata omitted homepage info — confirm the upstream project identity before trusting the binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk9739m2ham2p2a4a08mt6rtee183p92n
138downloads
0stars
2versions
Updated 1mo ago
v1.1.0
MIT-0
Romain Mellaza@4strium
latest
Download

Moodle-Claw Skill

This skill allows you to interact with a Moodle learning management system (LMS) to help users with their courses, assignments, and learning materials.

Setup

If moodle-claw binary is missing, download it:

URL="https://github.com/4strium/moodle-claw/releases/download/v1.0/moodle-claw" SHA256="0ce9e6ad4e42c626ebe2c4ce79bde23da3386dc8e4b54a87da0a345a1a0252aa"

curl -L -o moodle-claw "$URL" echo "$SHA256 moodle-claw" | sha256sum -c - chmod +x moodle-claw

Configuration

Before using moodle-claw commands, the user needs to configure their Moodle connection:

moodle-claw configure

This will interactively prompt for:

  1. Moodle server URL - e.g., https://moodle.university.edu
  2. Authentication method - Token (direct), SSO (redirect URL), or Username/Password
  3. Download path - Where to save downloaded files

Authentication Methods

Option 1: Direct Token

If you already have a 32-character hex token:

moodle-claw configure --url https://moodle.example.com --token YOUR_32_CHAR_TOKEN --path ~/Documents/Moodle

Option 2: SSO Authentication (recommended for universities)

For institutions using SSO (Single Sign-On):

  1. Log into your Moodle account in a web browser
  2. Open the developer console (press F12) and go to the Network tab
  3. Visit this URL in the same browser tab (replace with your Moodle URL): 
    https://YOUR_MOODLE_URL/admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=12345&urlscheme=moodlemobile
  4. The page will fail to load - this is expected! An error will occur.
  5. In the Network tab, find the failed request (it should be red/failed)
  6. Right-click on the failed request > Copy > Copy link address
    • The URL looks like: moodlemobile://token=BASE64_ENCODED_STRING
  7. Use the copied URL: 
    moodle-claw configure --url https://moodle.example.com --sso-url "moodlemobile://token=..." --path ~/Documents/Moodle

Or use interactive mode and select "SSO (redirect URL)":

moodle-claw configure

Option 3: Username/Password

For institutions allowing direct login:

moodle-claw configure --url https://moodle.example.com --username your_user --password your_pass --path ~/Documents/Moodle

Available Commands

Check Status

moodle-claw status [--output json]

Shows current configuration and connection status.

List Courses

moodle-claw courses [--filter "math"] [--refresh] [--output json]

Lists all enrolled courses. Use --refresh to fetch latest from server.

View Course Content

moodle-claw content "Course Name" [--section "TD2"] [--output json]
moodle-claw content 12345  # by course ID

Shows the structure of a course (sections, modules, files).

Search Content

moodle-claw search "exercise" [--course "Physics"] [--type file] [--output json]

Searches for content across courses.

Download Files

moodle-claw get "Course/Section/file.pdf" [--course "Math"] [--dest /tmp]
moodle-claw get --url "https://moodle.../pluginfile.php/..." [--dest /tmp]

# Extract text from PDF files (recommended for reading content)
moodle-claw get "file.pdf" --text --output json

Downloads a file and returns its local path. Use --text (-t) to automatically extract text content from PDF files.

Sync Course

moodle-claw sync "Course Name" [--dest ~/Courses] [--no-confirm]
moodle-claw sync  # syncs all enabled courses

Downloads all files from a course.

Usage Patterns

When user asks about a course

  1. First, list courses to find the right one: moodle-claw courses --filter "keyword"
  2. Then get its content: moodle-claw content "Course Name"
  3. If needed, download specific files: moodle-claw get "path/to/file.pdf"

When user asks about specific content (e.g., "TD2", "exercise 3")

  1. Search for the content: moodle-claw search "TD2" --course "Course Name"
  2. Download and extract text from PDF: moodle-claw get "path/to/file.pdf" --text
  3. The extracted text will be included in the output for you to analyze

When user wants to work offline

  1. Sync the entire course: moodle-claw sync "Course Name" --no-confirm
  2. Files will be available locally for reading

Output Formats

All commands support --output json for structured output, or the default markdown format for human readability.

Example Interactions

User: "Explique-moi le cours de mécanique"

# 1. Find the course
moodle-claw courses --filter "mécanique" --output json

# 2. Get course structure
moodle-claw content "Mécanique" --output json

# 3. Download relevant materials and explain
moodle-claw get "Mécanique/Chapitre 1/cours.pdf" --output json

User: "Quel est l'exercice 3 du TD2 en maths?"

# 1. Search for TD2 in math course
moodle-claw search "TD2" --course "maths" --output json

# 2. Download the TD2 file and extract text
moodle-claw get "TD2.pdf" --course "maths" --text --output json

# The text content will be in the JSON output for you to analyze

User: "Télécharge tous les fichiers du cours de physique"

moodle-claw sync "Physique" --no-confirm

Notes

  • Files are cached locally after first download
  • Use --refresh on moodle-claw courses to update the course list from server
  • Course names support fuzzy matching (partial names work)
  • The --output json flag is useful for parsing structured data
  • Use --text with moodle-claw get to extract text from PDF files directly

Security / Vetting

  • Source code fully open-source
  • SHA256 checksum verified before execution
  • Token, credentials and configuration saved locally on this machine

Comments

Loading comments...