Moodle Connector

Moodle REST API client, batch downloader, and MCP server for Claude Code integration. SSO-enabled with support for Azure AD, Google, and SAML.

This skill appears to implement the advertised Moodle features but has several red flags you should address before using it with real credentials: 1) The registry metadata lists no required env vars but the SKILL.md and code require SSO client IDs/secrets and an encryption password — assume you must supply them. 2) Do NOT store MOODLE_CRED_PASSWORD or client secrets in plaintext config files (the README currently suggests adding them to claude_desktop_config.json); instead provide them via a secure secret store or prompt at runtime. 3) The code includes insecure defaults: mcp_server.py and batch_downloader.py use a hard-coded 'test-pass' password which will fail to decrypt real credentials and is a security risk if left in production. Change/remove hard-coded defaults. 4) config.json can hold a Moodle web_service_token in plaintext — prefer encrypted storage or environment-based injection. 5) There is at least one obvious bug: batch_downloader.py uses os.getenv but does not import os (will crash). 6) Playwright will download browser binaries at install time — review network activity and run in an isolated environment if you test. 7) The source is listed as unknown/homepage none in the registry snapshot; verify the upstream repository and author before trusting or running. Recommended actions: review the code yourself (or have a developer do so), remove hard-coded passwords, avoid putting secrets into persistent plaintext config, test in a sandbox container, and only then run with real credentials.

Type: OpenClaw Skill Name: moodle-connector Version: 2.0.0 The skill bundle contains a significant security vulnerability: a hardcoded default encryption password ('test-pass') is used in 'mcp_server.py' and 'batch_downloader.py' to protect the local credential store, contradicting the documentation's claim that an environment variable is required. Additionally, 'moodle_connector.py' utilizes Playwright for browser automation to scrape authentication tokens from Moodle SSO/MFA flows; while this is aligned with the stated purpose of handling enterprise authentication, browser automation and token scraping are high-risk capabilities in an AI agent context. The discrepancy between the security instructions in 'SKILL.md' and the actual implementation in 'mcp_server.py' warrants a suspicious classification.