← Back to Skills Marketplace
105
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install sjtu-canvas
Description
SJTU Canvas LMS 课程助手。管理上海交通大学 Canvas (oc.sjtu.edu.cn) 课程数据。 也适用于其他基于 Canvas LMS 的高校,修改 base_url 即可。 触发场景: (1) 查看/下载课程文件(PPT/PDF)、批量下载课件 (2) 查看作业列表、DDL、提交状态、提...
Usage Guidance
This skill appears to do what it says: it needs your Canvas API token (stored in config.json) so only provide a token with the minimum necessary scope and keep the file private. Be aware the scripts will read/write local files (downloads, extracted Markdown) and will create Apple Calendar events on macOS when you run calendar_sync.py. There are a few non-security issues you should review before trusting the skill: (1) submit_assignment contains a string-formatting bug in its upload URL construction — it will likely fail and should be corrected to use f"{get_base_url()}/api/v1/..."; (2) file_extractor supports DOCX but SKILL.md/README omit python-docx in the pip install instructions (the extractor will return an instruction if python-docx is missing); (3) always confirm before allowing any automated submission — the SKILL.md notes this, and you should verify local file paths and files to be uploaded. If you want extra assurance, inspect the code locally or run the scripts in a controlled environment (e.g., a throwaway account) before pointing them at your primary Canvas account.
Capability Analysis
Type: OpenClaw Skill
Name: sjtu-canvas
Version: 1.0.1
The skill bundle provides legitimate Canvas LMS integration but contains a high-risk command injection vulnerability in `scripts/calendar_sync.py`. The script constructs AppleScript strings using f-strings that incorporate external data (assignment titles and descriptions) and executes them via `osascript`; a maliciously named assignment on the Canvas platform could trigger arbitrary code execution on the user's macOS system. While `scripts/canvas_api.py` handles sensitive API tokens and contains a syntax error in its URL formatting, there is no evidence of intentional data exfiltration or malicious intent, classifying these issues as vulnerabilities rather than malware.
Capability Assessment
Purpose & Capability
Name/description describe Canvas LMS operations and the code + SKILL.md only request a Canvas API token and local paths. The code interacts with Canvas endpoints, downloads course files, extracts text, and syncs to Apple Calendar — all match the stated features.
Instruction Scope
Runtime instructions and scripts operate on expected artifacts: config.json (contains canvas_token and base_url), course files, and local file paths. The calendar sync uses osascript to create Calendar events on macOS. The SKILL.md explicitly instructs the user to provide the token and to confirm before submitting assignments. Note: scripts will read and write local files and may access any file paths you pass them (normal for this kind of tool).
Install Mechanism
No automated install spec; this is instruction-only plus included Python scripts. Dependencies are installed via pip per the README/SKILL.md. No downloads from untrusted URLs or archive extraction are present.
Credentials
No environment variables are requested; instead the skill expects a config.json containing a Canvas API token and base_url — this is appropriate for Canvas integration. The token is powerful (access to your Canvas data) so protecting it is necessary. The skill does not request unrelated credentials.
Persistence & Privilege
The skill is not forced-always and does not ask to modify other skills or global agent settings. It uses normal agent invocation privileges. calendar_sync will create calendar events (expected behavior) but only on macOS via AppleScript.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install sjtu-canvas - After installation, invoke the skill by name or use
/sjtu-canvas - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Add credit to SJTU-Canvas-Helper as inspiration, highlight AI homework tutoring and knowledge point matching features
v1.0.0
Initial release: Canvas API, courseware extraction, DDL calendar sync, grade tracking, assignment submission
Metadata
Frequently Asked Questions
What is SJTU Canvas 课程助手?
SJTU Canvas LMS 课程助手。管理上海交通大学 Canvas (oc.sjtu.edu.cn) 课程数据。 也适用于其他基于 Canvas LMS 的高校,修改 base_url 即可。 触发场景: (1) 查看/下载课程文件(PPT/PDF)、批量下载课件 (2) 查看作业列表、DDL、提交状态、提... It is an AI Agent Skill for Claude Code / OpenClaw, with 105 downloads so far.
How do I install SJTU Canvas 课程助手?
Run "/install sjtu-canvas" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SJTU Canvas 课程助手 free?
Yes, SJTU Canvas 课程助手 is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does SJTU Canvas 课程助手 support?
SJTU Canvas 课程助手 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SJTU Canvas 课程助手?
It is built and maintained by xhh678876 (@xhh678876); the current version is v1.0.1.
More Skills