← Back to Skills Marketplace
1158
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install iserv
Description
HTTP client for IServ school platforms. Log in to an IServ instance (e.g. https://grabbe-dt.de) and fetch common student data like unread mail counts, calendar events, files/folders, tasks/exercises, announcements/news, and other IServ modules via HTTP endpoints. Includes best-effort file ops + exercise submission.
README (SKILL.md)
IServ (school platform)
This skill uses an HTTP client (no browser automation) to log in and call IServ endpoints.
Credentials / security
- Do NOT hardcode credentials.
- Provide credentials via environment variables.
Single profile:
ISERV_BASE_URL(e.g.https://grabbe-dt.de)ISERV_USERISERV_PASS
Multiple profiles (parallel):
- set
ISERV_PROFILE=\x3Cname>or pass--profile \x3Cname> - provide
ISERV_\x3CPROFILE>_BASE_URL,ISERV_\x3CPROFILE>_USER,ISERV_\x3CPROFILE>_PASS
Commands
cd skills/iserv/scripts
# unread inbox count
./iserv.py mail-unread
# last 3 mails (IMAP)
./iserv.py mail-last --n 3
# upcoming calendar events (JSON)
./iserv.py calendar-upcoming
# list files (JSON)
./iserv.py files-list --path "/" # root
./iserv.py files-list --path "/Files" # typical user file area
# search files/folders recursively by substring
./iserv.py files-search --query "bio" --start-dir "/Files" --max-depth 6
# download a file (best-effort across IServ versions)
./iserv.py files-download --path "/Files/foo.pdf" --out-dir ./downloads
# upload a file (prefers FS Dropzone-style chunked upload; falls back to legacy form upload)
./iserv.py files-upload --file ./foo.pdf --dest-dir "/Files"
# optionally tune chunk size (bytes)
./iserv.py files-upload --file ./foo.pdf --dest-dir "/Files" --chunk-size 8388608
# create folder (best-effort; depends on IServ version)
./iserv.py files-mkdir --path "/Dokumente/Neu"
# rename/move (best-effort)
./iserv.py files-rename --src "/Dokumente/Alt.txt" --dest "/Dokumente/Neu.txt"
# delete (best-effort; USE WITH CARE)
./iserv.py files-delete --path "/Dokumente/Neu.txt"
# messenger: list chats / conversations
./iserv.py messenger-chats
# messenger: fetch messages for a chat
./iserv.py messenger-messages --chat-id \x3CID>
# messenger: send message
./iserv.py messenger-send --chat-id \x3CID> --text "Hello"
# list exercises (best-effort HTML scrape)
./iserv.py exercise-list --limit 50
# view one exercise + list attachments (optionally download them)
./iserv.py exercise-detail --id 123
./iserv.py exercise-detail --id 123 --download-dir ./downloads
# attempt to submit an exercise file (best-effort; depends on IServ version)
./iserv.py exercise-submit --id 123 --file ./solution.pdf --comment "Abgabe"
Notes / next steps
-
Exercises: listing/details/submission are implemented via HTML scraping. Submission is now form-driven (parses the actual
\x3Cform>on the exercise page and posts multipart), which is more robust than guessing an internal upload API. If it still fails on a specific IServ instance, capture:- the HTML of the exercise detail page (after login)
- response status + redirect URL
-
Files: list/download/upload + mkdir/rename/delete are implemented as best-effort across IServ versions. Some instances expose slightly different endpoints; the client tries to discover Symfony FOS routes (when available) and falls back to common API paths.
Ideas to extend further:
- richer exercise parsing (due dates, teacher, description)
- announcements/news
- messenger notifications (currently experimental)
- robust file search, move/copy, and recursive folder download
Reference: IServ routes are discoverable via the bundled FOS routes JS (commonly /iserv/js/fos_js_routes.js; some instances also use /iserv/js/assets/fos_js_routes*.js).
Usage Guidance
This skill contains a runnable Python client that will log into an IServ instance and may access mail (IMAP), send mail (SMTP), list and upload files, and submit exercises — so it needs your IServ URL plus username/password (or profile-prefixed equivalents). Before installing or running: 1) Do not use high-privilege/admin credentials; create/use a limited test account if possible. 2) Verify the registry metadata is corrected (it should declare ISERV_BASE_URL, ISERV_USER, ISERV_PASS as required). 3) Manually inspect scripts/iserv.py for any hard-coded external endpoints or unexpected network calls (the bundle appears to use only the target IServ host and standard mail protocols). 4) Run the script in an isolated environment or with network restrictions if you are concerned about exposing real student data. If the publisher cannot explain the metadata mismatch, treat the package with caution.
Capability Analysis
Type: OpenClaw Skill
Name: iserv
Version: 0.1.0
The skill is classified as suspicious due to a critical Local File Write (LFW) vulnerability in `scripts/iserv.py`. The `files_download` and `exercise_download_attachment` functions extract filenames from the `Content-Disposition` HTTP header without sufficient sanitization. A malicious IServ server could provide a filename containing path traversal sequences (e.g., `../../evil.sh`), allowing the agent to write files to arbitrary locations on the local filesystem. This LFW vulnerability could lead to Remote Code Execution (RCE) if a sensitive file is overwritten. While this is a severe flaw, it's a vulnerability in the implementation of a legitimate feature rather than clear evidence of intentional malicious behavior by the skill developer.
Capability Assessment
Purpose & Capability
The name, description, SKILL.md, and the included scripts/iserv.py are coherent: this is an HTTP client for IServ that also uses IMAP/SMTP for mail operations and implements file and exercise ops. However, the registry metadata claims no required environment variables or primary credential, while SKILL.md and the code clearly require ISERV_BASE_URL, ISERV_USER, and ISERV_PASS (and support profile-prefixed env vars). That mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md limits runtime actions to logging into an IServ instance and calling endpoints (mail, calendar, files, messenger, exercises). It instructs the user to provide credentials via env vars and shows explicit CLI commands. The only minor scope note: debugging guidance asks the user to capture HTML of exercise pages after login (which may contain sensitive content) — that is a user-facing troubleshooting step, not an automatic exfiltration, so treat captured outputs as sensitive.
Install Mechanism
No install spec is provided (instruction-only skill with an included script). That reduces install-time risk because nothing is downloaded from external URLs during installation. The bundled Python script will run when invoked; review code before execution.
Credentials
The skill requires credentials to access an IServ instance (ISERV_BASE_URL, ISERV_USER, ISERV_PASS, and optional profile-prefixed variants), but the registry metadata does not declare these env vars or a primary credential. This omission is a red flag because users may not be warned that they must supply sensitive credentials. The code also uses IMAP/SMTP connections derived from the base host (mail operations), which is consistent with the stated functionality but increases the sensitivity of the credentials in use. No unrelated credentials are requested, but the declared metadata should match reality.
Persistence & Privilege
The skill is not configured as always:true and does not request system-wide persistence. It does not include an install script that modifies other skills or agent settings. Autonomous invocation is allowed (platform default), which is expected for skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install iserv - After installation, invoke the skill by name or use
/iserv - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release: mail (IMAP/SMTP), calendar, files (best-effort), exercises (best-effort).
v1.0.0
Initial release: login + unread mail count, last mails via IMAP, calendar upcoming, and file list. Multi-profile env support.
Metadata
Frequently Asked Questions
What is Iserv?
HTTP client for IServ school platforms. Log in to an IServ instance (e.g. https://grabbe-dt.de) and fetch common student data like unread mail counts, calendar events, files/folders, tasks/exercises, announcements/news, and other IServ modules via HTTP endpoints. Includes best-effort file ops + exercise submission. It is an AI Agent Skill for Claude Code / OpenClaw, with 1158 downloads so far.
How do I install Iserv?
Run "/install iserv" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Iserv free?
Yes, Iserv is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Iserv support?
Iserv is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Iserv?
It is built and maintained by finnbusse (@finnbusse); the current version is v0.1.0.
More Skills