SJTU Canvas 课程助手

SJTU Canvas LMS 课程助手。管理上海交通大学 Canvas (oc.sjtu.edu.cn) 课程数据。 也适用于其他基于 Canvas LMS 的高校，修改 base_url 即可。 触发场景: (1) 查看/下载课程文件(PPT/PDF)、批量下载课件 (2) 查看作业列表、DDL、提交状态、提...

This skill appears to do what it says: it needs your Canvas API token (stored in config.json) so only provide a token with the minimum necessary scope and keep the file private. Be aware the scripts will read/write local files (downloads, extracted Markdown) and will create Apple Calendar events on macOS when you run calendar_sync.py. There are a few non-security issues you should review before trusting the skill: (1) submit_assignment contains a string-formatting bug in its upload URL construction — it will likely fail and should be corrected to use f"{get_base_url()}/api/v1/..."; (2) file_extractor supports DOCX but SKILL.md/README omit python-docx in the pip install instructions (the extractor will return an instruction if python-docx is missing); (3) always confirm before allowing any automated submission — the SKILL.md notes this, and you should verify local file paths and files to be uploaded. If you want extra assurance, inspect the code locally or run the scripts in a controlled environment (e.g., a throwaway account) before pointing them at your primary Canvas account.

Type: OpenClaw Skill Name: sjtu-canvas Version: 1.0.1 The skill bundle provides legitimate Canvas LMS integration but contains a high-risk command injection vulnerability in `scripts/calendar_sync.py`. The script constructs AppleScript strings using f-strings that incorporate external data (assignment titles and descriptions) and executes them via `osascript`; a maliciously named assignment on the Canvas platform could trigger arbitrary code execution on the user's macOS system. While `scripts/canvas_api.py` handles sensitive API tokens and contains a syntax error in its URL formatting, there is no evidence of intentional data exfiltration or malicious intent, classifying these issues as vulnerabilities rather than malware.