Xuexitong Homework Submit
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated Chaoxing homework-automation purpose, but the handwritten-answer upload path uses plaintext HTTP with an authenticated session, which could expose your login cookie and answers.
Install only if you are comfortable giving the skill a Chaoxing session cookie and letting it save or submit homework. Prefer temp-save and manual review before any final submit, protect the cookie file, and avoid the handwritten image upload flow until the HTTP upload/cookie handling is fixed or clearly mitigated.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone on the network could potentially see homework answer images or steal the Chaoxing session cookie during upload.
The handwritten-answer pipeline posts uploaded files to a plaintext HTTP provider URL using a session configured with a raw Cookie header, so answer images and session cookies can be exposed or modified in transit.
"Cookie": cookie_header ... url = "http://notice.chaoxing.com/pc/files/uploadNoticeFile" ... r = s.post(url, files=files, timeout=30)
Avoid the handwritten upload pipeline on untrusted networks; the maintainer should use HTTPS if supported, avoid sending raw cookies on HTTP requests, and clearly warn users about this credential/data flow.
Anyone or any agent process that can use this cookie can act as the user on Chaoxing for the supported homework workflows.
The skill uses a persistent Chaoxing session cookie to access the user's account; this is expected for the integration and disclosed, but it is sensitive credential material.
- 默认 Cookie 文件:`~/.openclaw/credentials/xuexitong_cookie.txt`
Store the cookie carefully, refresh or revoke it if exposed, and treat it as a real login credential; the registry metadata should declare this credential/config path.
A mistaken final submit could send incomplete or wrong answers to the user's course account.
The script can submit homework to the Chaoxing API, but the code includes an explicit --confirm gate for final submission.
if (not temp_save) and (not args.confirm): die("refusing to submit without --confirm") ... doNormalHomeWorkSubmit" + f"?tempSave={'true' if temp_save else 'false'}"Use save/temp-save first, review the homework in Chaoxing, and only allow --confirm when the user explicitly asks to submit.
The handwritten rendering step depends on code and packages not fully represented by this skill's manifest.
The handwriting pipeline relies on an external local HandWrite virtualenv and dependencies outside the provided requirements/install spec.
hw_dir = ws / "HandWrite" ... hw_py = hw_dir / ".venv" / "bin" / "python" ... p = subprocess.run(cmd, capture_output=True, text=True)
Only use the handwriting pipeline with a trusted HandWrite installation, and prefer pinned, documented dependencies.