← Back to Skills Marketplace

Church Account

Name: Church Account
Author: nathan-deepmm

by nathan-deepmm · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

586

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install church-account

Description

Automate tasks on churchofjesuschrist.org and LCR (Leader & Clerk Resources). Use when logging into LDS church accounts, looking up ward/stake rosters, manag...

README (SKILL.md)

Church Account (LDS/LCR)

Automate login and tasks on churchofjesuschrist.org.

Login

OAuth Flow

The church uses OAuth via id.churchofjesuschrist.org. Any protected page redirects to login:

Enter username → click Next
Enter password → click Verify
Redirects back to target page with session cookies

No MFA or CAPTCHA is typically required. Playwright + playwright-stealth handles it cleanly.

Credentials

Store in a password vault or environment variables:

Username (church account email or membership ID)
Password

Login with Playwright

import asyncio
from playwright.async_api import async_playwright
from playwright_stealth import Stealth

async def login(target_url="https://lcr.churchofjesuschrist.org", cookies_path="/tmp/church_cookies.json"):
    async with async_playwright() as p:
        browser = await p.chromium.launch(
            headless=True,
            args=["--no-sandbox", "--disable-blink-features=AutomationControlled", "--disable-dev-shm-usage"]
        )
        context = await browser.new_context(
            viewport={"width": 1920, "height": 1080},
            user_agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 ..."
        )
        page = await context.new_page()
        await Stealth().apply_stealth_async(page)
        await page.goto(target_url)

        # Enter username
        await page.fill('input[name="identifier"]', USERNAME)
        await page.click('button[type="submit"]')

        # Enter password
        await page.wait_for_selector('input[type="password"]')
        await page.fill('input[type="password"]', PASSWORD)
        await page.click('button[type="submit"]')

        # Wait for redirect
        await page.wait_for_url(f"{target_url}/**", timeout=30000)

        # Save session
        await context.storage_state(path=cookies_path.replace('.json', '_state.json'))
        await browser.close()

Reusing a Session

After login, use saved storage state to skip re-authentication:

context = await browser.new_context(
    storage_state="/tmp/church_cookies_state.json",
    viewport={"width": 1920, "height": 1080},
    user_agent="Mozilla/5.0 ..."
)
page = await context.new_page()
await Stealth().apply_stealth_async(page)

Key URLs

Service	URL
LCR (Leader & Clerk Resources)	https://lcr.churchofjesuschrist.org
Ward Directory	https://directory.churchofjesuschrist.org
Calendar	https://www.churchofjesuschrist.org/calendar
Donations	https://donations.churchofjesuschrist.org
Temple Reservations	https://tos.churchofjesuschrist.org
My Home	https://www.churchofjesuschrist.org/my-home
Account Settings	https://id.churchofjesuschrist.org/account

LCR Sections

After login, LCR provides access to:

Membership — member records, move-in/out, new members
Callings — current callings, sustaining, setting apart
Ministering & Welfare — assignments, needs
Finance — tithing settlement, budget, donations
Missionary — full-time and ward missionaries
Temple — recommend status, temple activity
Reports — attendance, quarterly reports

Tips

Login sessions persist via cookies — no need to re-login every request
Headless Chrome with playwright-stealth avoids detection
Storage state files contain auth tokens — treat as sensitive

Usage Guidance

This skill appears to be what it says (automating LDS/LCR website tasks) but it has several red flags you should consider before installing or running it: - Missing declarations: The SKILL.md expects Python, Playwright, playwright-stealth, and a Chromium browser but the skill metadata lists no required binaries or install steps. Verify and install these dependencies from official sources yourself rather than trusting an unknown installer. - Credentials handling: The code expects USERNAME and PASSWORD but the skill does not declare required environment variables. Do not put credentials into plaintext env variables or world-readable /tmp files. Use a secure password vault and inject secrets at runtime if possible. - Sensitive persistence: The skill saves storage_state (auth tokens/cookies) to disk. Those files are equivalent to logged-in sessions—store them encrypted, restrict file permissions, and delete when no longer needed. - Sandbox/stealth flags: The recommended browser arguments include --no-sandbox and stealth techniques intended to evade detection. --no-sandbox reduces process isolation and increases risk if you run this on a shared or untrusted host. Prefer running automation in an isolated, single-tenant environment (e.g., a disposable VM or container) and avoid --no-sandbox unless you understand the risk. - Source trust: The source/homepage is unknown. Only run this skill if you trust the author or can inspect and control the code that will run. If you plan to use it, prefer copying the provided code into a controlled repo, lock dependencies to known good versions, and review any third-party libraries (playwright-stealth implementations can be unvetted). If you want to proceed safely: obtain the dependencies from official registries, run the automation in an isolated container/VM, keep credentials in a vault and inject at runtime, secure storage_state files, and remove or avoid using --no-sandbox and other flags that weaken sandboxing.

Capability Analysis

Type: OpenClaw Skill Name: church-account Version: 1.0.0 The skill is classified as suspicious due to significant security vulnerabilities. It stores sensitive authentication tokens in a world-writable `/tmp/church_cookies_state.json` file, which could lead to local information disclosure. Additionally, it uses the `--no-sandbox` argument for Playwright, weakening the browser's security posture and increasing the risk of compromise if the browser engine is exploited. While the skill's stated purpose is legitimate, these insecure practices in SKILL.md represent critical vulnerabilities rather than direct malicious intent.

Capability Assessment

ℹ Purpose & Capability

The name/description and SKILL.md are coherent: both describe automating churchofjesuschrist.org/LCR tasks via a browser automation flow. However, the skill fails to declare the real runtime requirements (Python, Playwright, playwright-stealth, and a Chromium browser), which is an inconsistency.

⚠ Instruction Scope

Instructions explicitly tell the agent how to perform OAuth login, manage sessions, and persist storage_state (auth tokens) to disk. They also recommend using playwright-stealth and pass browser args including --no-sandbox and --disable-blink-features=AutomationControlled to avoid detection. Saving storage_state and cookies to /tmp and using stealth flags broaden the sensitive scope and weaken sandbox protections; the instructions give the agent discretion over sensitive items without safe-handling specifics.

ℹ Install Mechanism

There is no install spec (instruction-only), which minimizes installer risk, but the runtime code requires Playwright, playwright-stealth, and Chromium. Those are not declared in metadata; a user would need to install them manually. The absence of an install spec plus required binaries is an operational mismatch to be aware of.

⚠ Credentials

SKILL.md expects credentials (USERNAME, PASSWORD) and suggests storing them in a vault or env vars, but requires.env and primary credential are empty. Sensitive artifacts (storage_state JSON) are written to /tmp with no guidance on encryption/permissions. Requesting credential usage without declaring them is disproportionate and risky.

ℹ Persistence & Privilege

The skill does not request always:true nor modify other skills. It does instruct saving persistent session state and cookies to disk which is normal for session reuse but creates long-lived sensitive artifacts; treat these files as secrets and protect them appropriately.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install church-account
After installation, invoke the skill by name or use /church-account
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release

Metadata

Slug church-account

Version 1.0.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Church Account?

Automate tasks on churchofjesuschrist.org and LCR (Leader & Clerk Resources). Use when logging into LDS church accounts, looking up ward/stake rosters, manag... It is an AI Agent Skill for Claude Code / OpenClaw, with 586 downloads so far.

How do I install Church Account?

Run "/install church-account" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Church Account free?

Yes, Church Account is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Church Account support?

Church Account is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Church Account?

It is built and maintained by nathan-deepmm (@nathan-deepmm); the current version is v1.0.0.

More Skills