← 返回 Skills 市场
finnbusse

Iserv

作者 finnbusse · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
1158
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install iserv
功能描述
HTTP client for IServ school platforms. Log in to an IServ instance (e.g. https://grabbe-dt.de) and fetch common student data like unread mail counts, calendar events, files/folders, tasks/exercises, announcements/news, and other IServ modules via HTTP endpoints. Includes best-effort file ops + exercise submission.
使用说明 (SKILL.md)

IServ (school platform)

This skill uses an HTTP client (no browser automation) to log in and call IServ endpoints.

Credentials / security

  • Do NOT hardcode credentials.
  • Provide credentials via environment variables.

Single profile:

  • ISERV_BASE_URL (e.g. https://grabbe-dt.de)
  • ISERV_USER
  • ISERV_PASS

Multiple profiles (parallel):

  • set ISERV_PROFILE=\x3Cname> or pass --profile \x3Cname>
  • provide ISERV_\x3CPROFILE>_BASE_URL, ISERV_\x3CPROFILE>_USER, ISERV_\x3CPROFILE>_PASS

Commands

cd skills/iserv/scripts

# unread inbox count
./iserv.py mail-unread

# last 3 mails (IMAP)
./iserv.py mail-last --n 3

# upcoming calendar events (JSON)
./iserv.py calendar-upcoming

# list files (JSON)
./iserv.py files-list --path "/"        # root
./iserv.py files-list --path "/Files"   # typical user file area

# search files/folders recursively by substring
./iserv.py files-search --query "bio" --start-dir "/Files" --max-depth 6

# download a file (best-effort across IServ versions)
./iserv.py files-download --path "/Files/foo.pdf" --out-dir ./downloads

# upload a file (prefers FS Dropzone-style chunked upload; falls back to legacy form upload)
./iserv.py files-upload --file ./foo.pdf --dest-dir "/Files"
# optionally tune chunk size (bytes)
./iserv.py files-upload --file ./foo.pdf --dest-dir "/Files" --chunk-size 8388608

# create folder (best-effort; depends on IServ version)
./iserv.py files-mkdir --path "/Dokumente/Neu"

# rename/move (best-effort)
./iserv.py files-rename --src "/Dokumente/Alt.txt" --dest "/Dokumente/Neu.txt"

# delete (best-effort; USE WITH CARE)
./iserv.py files-delete --path "/Dokumente/Neu.txt"

# messenger: list chats / conversations
./iserv.py messenger-chats

# messenger: fetch messages for a chat
./iserv.py messenger-messages --chat-id \x3CID>

# messenger: send message
./iserv.py messenger-send --chat-id \x3CID> --text "Hello"

# list exercises (best-effort HTML scrape)
./iserv.py exercise-list --limit 50

# view one exercise + list attachments (optionally download them)
./iserv.py exercise-detail --id 123
./iserv.py exercise-detail --id 123 --download-dir ./downloads

# attempt to submit an exercise file (best-effort; depends on IServ version)
./iserv.py exercise-submit --id 123 --file ./solution.pdf --comment "Abgabe"

Notes / next steps

  • Exercises: listing/details/submission are implemented via HTML scraping. Submission is now form-driven (parses the actual \x3Cform> on the exercise page and posts multipart), which is more robust than guessing an internal upload API. If it still fails on a specific IServ instance, capture:

    • the HTML of the exercise detail page (after login)
    • response status + redirect URL

  • Files: list/download/upload + mkdir/rename/delete are implemented as best-effort across IServ versions. Some instances expose slightly different endpoints; the client tries to discover Symfony FOS routes (when available) and falls back to common API paths.

Ideas to extend further:

  • richer exercise parsing (due dates, teacher, description)
  • announcements/news
  • messenger notifications (currently experimental)
  • robust file search, move/copy, and recursive folder download

Reference: IServ routes are discoverable via the bundled FOS routes JS (commonly /iserv/js/fos_js_routes.js; some instances also use /iserv/js/assets/fos_js_routes*.js).

安全使用建议
This skill contains a runnable Python client that will log into an IServ instance and may access mail (IMAP), send mail (SMTP), list and upload files, and submit exercises — so it needs your IServ URL plus username/password (or profile-prefixed equivalents). Before installing or running: 1) Do not use high-privilege/admin credentials; create/use a limited test account if possible. 2) Verify the registry metadata is corrected (it should declare ISERV_BASE_URL, ISERV_USER, ISERV_PASS as required). 3) Manually inspect scripts/iserv.py for any hard-coded external endpoints or unexpected network calls (the bundle appears to use only the target IServ host and standard mail protocols). 4) Run the script in an isolated environment or with network restrictions if you are concerned about exposing real student data. If the publisher cannot explain the metadata mismatch, treat the package with caution.
功能分析
Type: OpenClaw Skill Name: iserv Version: 0.1.0 The skill is classified as suspicious due to a critical Local File Write (LFW) vulnerability in `scripts/iserv.py`. The `files_download` and `exercise_download_attachment` functions extract filenames from the `Content-Disposition` HTTP header without sufficient sanitization. A malicious IServ server could provide a filename containing path traversal sequences (e.g., `../../evil.sh`), allowing the agent to write files to arbitrary locations on the local filesystem. This LFW vulnerability could lead to Remote Code Execution (RCE) if a sensitive file is overwritten. While this is a severe flaw, it's a vulnerability in the implementation of a legitimate feature rather than clear evidence of intentional malicious behavior by the skill developer.
能力评估
Purpose & Capability
The name, description, SKILL.md, and the included scripts/iserv.py are coherent: this is an HTTP client for IServ that also uses IMAP/SMTP for mail operations and implements file and exercise ops. However, the registry metadata claims no required environment variables or primary credential, while SKILL.md and the code clearly require ISERV_BASE_URL, ISERV_USER, and ISERV_PASS (and support profile-prefixed env vars). That mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md limits runtime actions to logging into an IServ instance and calling endpoints (mail, calendar, files, messenger, exercises). It instructs the user to provide credentials via env vars and shows explicit CLI commands. The only minor scope note: debugging guidance asks the user to capture HTML of exercise pages after login (which may contain sensitive content) — that is a user-facing troubleshooting step, not an automatic exfiltration, so treat captured outputs as sensitive.
Install Mechanism
No install spec is provided (instruction-only skill with an included script). That reduces install-time risk because nothing is downloaded from external URLs during installation. The bundled Python script will run when invoked; review code before execution.
Credentials
The skill requires credentials to access an IServ instance (ISERV_BASE_URL, ISERV_USER, ISERV_PASS, and optional profile-prefixed variants), but the registry metadata does not declare these env vars or a primary credential. This omission is a red flag because users may not be warned that they must supply sensitive credentials. The code also uses IMAP/SMTP connections derived from the base host (mail operations), which is consistent with the stated functionality but increases the sensitivity of the credentials in use. No unrelated credentials are requested, but the declared metadata should match reality.
Persistence & Privilege
The skill is not configured as always:true and does not request system-wide persistence. It does not include an install script that modifies other skills or agent settings. Autonomous invocation is allowed (platform default), which is expected for skills.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install iserv
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /iserv 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release: mail (IMAP/SMTP), calendar, files (best-effort), exercises (best-effort).
v1.0.0
Initial release: login + unread mail count, last mails via IMAP, calendar upcoming, and file list. Multi-profile env support.
元数据
Slug iserv
版本 0.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 2
常见问题

Iserv 是什么?

HTTP client for IServ school platforms. Log in to an IServ instance (e.g. https://grabbe-dt.de) and fetch common student data like unread mail counts, calendar events, files/folders, tasks/exercises, announcements/news, and other IServ modules via HTTP endpoints. Includes best-effort file ops + exercise submission. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1158 次。

如何安装 Iserv?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install iserv」即可一键安装,无需额外配置。

Iserv 是免费的吗?

是的,Iserv 完全免费(开源免费),可自由下载、安装和使用。

Iserv 支持哪些平台?

Iserv 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Iserv?

由 finnbusse(@finnbusse)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论