扫描报告
5 /100
canvas-lms-student
Read-only Canvas LMS integration for student workflows — list courses, assignments, download files, export deadlines to calendar, search content
A straightforward, read-only Canvas LMS integration skill with clean code, accurate documentation, and no malicious behavior detected.
可以安装
Approve for use. This skill performs exactly what it declares — read-only access to Canvas LMS course data — using the official canvasapi library with no hidden functionality.
安全发现 2 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 低危 | Shell permission declared but not used 文档欺骗 | SKILL.md:9 |
| 提示 | Dependencies use caret upper bounds 供应链 | requirements.txt:1 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | WRITE | WRITE | ✓ 一致 | download_files.py writes to user-specified --output dir; get_assignment_detail.p… |
| 网络访问 | READ | READ | ✓ 一致 | All scripts use canvasapi/requests GET only; no POST, PUT, DELETE, or PATCH call… |
| 命令执行 | WRITE | NONE | ✓ 一致 | No subprocess, os.system, or shell execution found in any script; only standard … |
| 环境变量 | READ | READ | ✓ 一致 | canvas_client.py reads CANVAS_BASE_URL and CANVAS_API_TOKEN only; token used sol… |
| 技能调用 | NONE | NONE | — | Scripts only call each other via Python import (list_courses.resolve_course_iden… |
| 剪贴板 | NONE | NONE | — | No clipboard access detected |
| 浏览器 | NONE | NONE | — | No browser automation or WebFetch |
| 数据库 | NONE | NONE | — | No database access |
7 项发现
中危 外部 URL 外部 URL
https://your-school.instructure.com README.md:54 中危 外部 URL 外部 URL
https://canvas.university.edu SKILL.md:44 中危 外部 URL 外部 URL
https://canvas.instructure.com/api/v1/ references/api-overview.md:10 中危 外部 URL 外部 URL
https://canvas.university.edu/api/v1/ references/api-overview.md:11 中危 外部 URL 外部 URL
https://canvas.instructure.com/api/v1/courses references/api-overview.md:19 中危 外部 URL 外部 URL
https://calendar.google.com scripts/export_calendar.py:160 提示 邮箱 邮箱地址
[email protected] README.md:29 目录结构
16 文件 · 71.0 KB · 2248 行 Python 7f · 1532L
Markdown 8f · 714L
Text 1f · 2L
├─
▾
references
│ ├─
api-overview.md
Markdown
│ ├─
assignments.md
Markdown
│ ├─
calendar-export.md
Markdown
│ ├─
courses.md
Markdown
│ ├─
files.md
Markdown
│ └─
search.md
Markdown
├─
▾
scripts
│ ├─
canvas_client.py
Python
│ ├─
download_files.py
Python
│ ├─
export_calendar.py
Python
│ ├─
get_assignment_detail.py
Python
│ ├─
get_assignments.py
Python
│ ├─
list_courses.py
Python
│ └─
search_canvas.py
Python
├─
README.md
Markdown
├─
requirements.txt
Text
└─
SKILL.md
Markdown
依赖分析 2 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
canvasapi | >=3.0.0 | pip | 否 | Official Canvas LMS Python SDK; no version cap |
requests | >=2.25.0 | pip | 否 | Standard HTTP library; no version cap |
安全亮点
✓ All scripts are read-only; no write, delete, or submit operations to Canvas API
✓ Uses official canvasapi library exclusively — no raw HTTP except for file downloads via requests with Bearer token
✓ No credential exfiltration: CANVAS_API_TOKEN is used only for Canvas API authentication
✓ No shell execution, subprocess, or os.system calls in any script
✓ No base64 encoding, obfuscation, or anti-analysis patterns
✓ File downloads go to user-specified output directory only
✓ SKILL.md accurately describes all tool behaviors and limitations
✓ No access to sensitive local paths (~/.ssh, ~/.aws, .env)
✓ No hidden instructions in comments or strings
✓ Clean error handling that doesn't suppress security-relevant exceptions
✓ No persistence mechanisms (no cron, startup scripts, or backdoors)