openmaic-classroom

github.com/aradotso/trending-skills
Verdict: Do not install
6 critical0 high1 medium
F
SCORE 0 / 100
$skillox install openmaic-classroomSoon
Sign in to followFollowing emails you when a re-scan drops the grade. Opt-out is per-creator on /account/billing.

Why grade F?

score · 0 / 100

The current grade reflects 6 critical findings (any 2+ CRITs → F).

6 CRIT0 HIGH1 MED0 LOW
To reach a higher grade
  • D
    Reach Dtarget score 30

    Resolve 5 of your 6 CRIT findings — any single CRIT still keeps you at D.

  • C
    Reach Ctarget score 55

    Resolve all 6 CRIT findings.

  • B
    Reach Btarget score 75

    Resolve all 6 CRIT.

  • A
    Reach Atarget score 95

    Resolve all 6 CRIT.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Latest scan findings

Scan crawl-ybb07e5hz3jgplgsiudpdm7i · Thu, 28 May 2026 17:11:24 GMT · 1ms

crit
Skill references secret env var $OPENAI_API_KEY
The skill instructions reference `$OPENAI_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 54CWE-200
52```env
53# LLM Providers (configure at least one)
54OPENAI_API_KEY=$OPENAI_API_KEYreferences $OPENAI_API_KEY — potential credential leak
55ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY
56GOOGLE_API_KEY=$GOOGLE_API_KEY
crit
Skill references secret env var $ANTHROPIC_API_KEY
The skill instructions reference `$ANTHROPIC_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 55CWE-200
53# LLM Providers (configure at least one)
54OPENAI_API_KEY=$OPENAI_API_KEY
55ANTHROPIC_API_KEY=$ANTHROPIC_API_KEYreferences $ANTHROPIC_API_KEY — potential credential leak
56GOOGLE_API_KEY=$GOOGLE_API_KEY
57
crit
Skill references secret env var $GOOGLE_API_KEY
The skill instructions reference `$GOOGLE_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 56CWE-200
54OPENAI_API_KEY=$OPENAI_API_KEY
55ANTHROPIC_API_KEY=$ANTHROPIC_API_KEY
56GOOGLE_API_KEY=$GOOGLE_API_KEYreferences $GOOGLE_API_KEY — potential credential leak
57
58# Recommended default model (Gemini 3 Flash = best speed/quality balance)
crit
Skill references secret env var $OPENAI_API_KEY
The skill instructions reference `$OPENAI_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 76CWE-200
74providers:
75 openai:
76 apiKey: $OPENAI_API_KEYreferences $OPENAI_API_KEY — potential credential leak
77 anthropic:
78 apiKey: $ANTHROPIC_API_KEY
crit
Skill references secret env var $ANTHROPIC_API_KEY
The skill instructions reference `$ANTHROPIC_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 78CWE-200
76 apiKey: $OPENAI_API_KEY
77 anthropic:
78 apiKey: $ANTHROPIC_API_KEYreferences $ANTHROPIC_API_KEY — potential credential leak
79 google:
80 apiKey: $GOOGLE_API_KEY
crit
Skill references secret env var $GOOGLE_API_KEY
The skill instructions reference `$GOOGLE_API_KEY`, which contains a credential. If an attacker can lure the agent into including this in an outbound URL or message, the credential leaks.
rule: env-var-harvestingline: 80CWE-200
78 apiKey: $ANTHROPIC_API_KEY
79 google:
80 apiKey: $GOOGLE_API_KEYreferences $GOOGLE_API_KEY — potential credential leak
81 deepseek:
82 apiKey: $DEEPSEEK_API_KEY
med
No capability manifest declared
The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.
rule: no-manifest
View latest scan →
skillox.io/c/openmaic-classroom