Scan Report
5 /100
canvas-lms-student
Read-only Canvas LMS integration for student workflows — list courses, assignments, download files, export deadlines to calendar, search content
A straightforward, read-only Canvas LMS integration skill with clean code, accurate documentation, and no malicious behavior detected.
Safe to install
Approve for use. This skill performs exactly what it declares — read-only access to Canvas LMS course data — using the official canvasapi library with no hidden functionality.
Findings 2 items
| Severity | Finding | Location |
|---|---|---|
| Low | Shell permission declared but not used Doc Mismatch | SKILL.md:9 |
| Info | Dependencies use caret upper bounds Supply Chain | requirements.txt:1 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | download_files.py writes to user-specified --output dir; get_assignment_detail.p… |
| Network | READ | READ | ✓ Aligned | All scripts use canvasapi/requests GET only; no POST, PUT, DELETE, or PATCH call… |
| Shell | WRITE | NONE | ✓ Aligned | No subprocess, os.system, or shell execution found in any script; only standard … |
| Environment | READ | READ | ✓ Aligned | canvas_client.py reads CANVAS_BASE_URL and CANVAS_API_TOKEN only; token used sol… |
| Skill Invoke | NONE | NONE | — | Scripts only call each other via Python import (list_courses.resolve_course_iden… |
| Clipboard | NONE | NONE | — | No clipboard access detected |
| Browser | NONE | NONE | — | No browser automation or WebFetch |
| Database | NONE | NONE | — | No database access |
7 findings
Medium External URL 外部 URL
https://your-school.instructure.com README.md:54 Medium External URL 外部 URL
https://canvas.university.edu SKILL.md:44 Medium External URL 外部 URL
https://canvas.instructure.com/api/v1/ references/api-overview.md:10 Medium External URL 外部 URL
https://canvas.university.edu/api/v1/ references/api-overview.md:11 Medium External URL 外部 URL
https://canvas.instructure.com/api/v1/courses references/api-overview.md:19 Medium External URL 外部 URL
https://calendar.google.com scripts/export_calendar.py:160 Info Email 邮箱地址
[email protected] README.md:29 File Tree
16 files · 71.0 KB · 2248 lines Python 7f · 1532L
Markdown 8f · 714L
Text 1f · 2L
├─
▾
references
│ ├─
api-overview.md
Markdown
│ ├─
assignments.md
Markdown
│ ├─
calendar-export.md
Markdown
│ ├─
courses.md
Markdown
│ ├─
files.md
Markdown
│ └─
search.md
Markdown
├─
▾
scripts
│ ├─
canvas_client.py
Python
│ ├─
download_files.py
Python
│ ├─
export_calendar.py
Python
│ ├─
get_assignment_detail.py
Python
│ ├─
get_assignments.py
Python
│ ├─
list_courses.py
Python
│ └─
search_canvas.py
Python
├─
README.md
Markdown
├─
requirements.txt
Text
└─
SKILL.md
Markdown
Dependencies 2 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
canvasapi | >=3.0.0 | pip | No | Official Canvas LMS Python SDK; no version cap |
requests | >=2.25.0 | pip | No | Standard HTTP library; no version cap |
Security Positives
✓ All scripts are read-only; no write, delete, or submit operations to Canvas API
✓ Uses official canvasapi library exclusively — no raw HTTP except for file downloads via requests with Bearer token
✓ No credential exfiltration: CANVAS_API_TOKEN is used only for Canvas API authentication
✓ No shell execution, subprocess, or os.system calls in any script
✓ No base64 encoding, obfuscation, or anti-analysis patterns
✓ File downloads go to user-specified output directory only
✓ SKILL.md accurately describes all tool behaviors and limitations
✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)
✓ No hidden instructions in comments or strings
✓ Clean error handling that doesn't suppress security-relevant exceptions
✓ No persistence mechanisms (no cron, startup scripts, or backdoors)