ClawHub

Miro REST API Reference

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Miro API reference; it describes powerful actions, but does not install code or hide behavior.

Install only if you want an agent to reference Miro API documentation. Treat any POST, PATCH, DELETE, team-member, or webhook example as a real change to Miro when used with a valid token. Use least-privilege scopes, prefer test boards first, keep tokens out of logs and source control, and revoke unused personal access tokens and webhooks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The error-handling example logs detailed API error data, including message, status, code, and response details. In real integrations, these fields can contain sensitive identifiers, request metadata, or user content, and the documentation does not warn readers to sanitize or minimize logged data before use.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The structured logging example includes a user identifier directly in logs without privacy guidance. While not inherently exploitable on its own, it normalizes logging persistent identifiers and can contribute to privacy leakage or overcollection when adopted in production systems.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The authentication section instructs use of a bearer token but does not state that the token is a sensitive secret that must not be logged, exposed in prompts, or embedded in client-side contexts. In an agent-skill setting, that omission can encourage unsafe handling of credentials and increase the chance of token leakage to logs, transcripts, or downstream tools.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation includes authenticated POST and PATCH examples that create boards, cards, comments, and webhooks against the live Miro API without prominent warnings that these operations modify remote resources. In an agent or copy-paste context, users may execute them against production tokens and unintentionally alter real boards or register persistent webhooks.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The examples normalize use of long-lived personal access tokens in a .env file without accompanying guidance on secure storage, scope restriction, rotation, or preventing accidental source-control exposure. This can lead users to handle credentials unsafely and increase the chance of token leakage or overprivileged access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal