Miro Web SDK Reference
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the quick start may download and run external Miro SDK tooling from npm.
The reference instructs users to install external npm packages as part of SDK setup. This is central to the stated purpose, but package-manager setup still depends on trusted sources.
npm install @mirohq/websdk-cli @mirohq/miro-webplugin
Use official package names, prefer pinned versions or lockfiles, and review generated project files before using them on important boards.
A plugin built from these examples may read or change Miro board content and access profile information after the user grants consent.
The docs describe Miro app scopes that can read and modify board content and access user identity. These permissions are expected for Miro plugins, but users should review them carefully.
board:read | Read board data and items ... board:write | Create, edit, delete items ... identity:read | Get current user info
Request the minimum required scopes, test in a Developer team first, and avoid identity or write permissions unless the plugin truly needs them.
Using this pattern on a real board could delete many or all items.
The reference includes a bulk-delete API example. It is presented as documentation rather than an automatic workflow, but copied blindly it could erase board content.
const items = await miro.board.getAllItems(); await Promise.all(items.map(item => item.delete()));
Require explicit confirmation for destructive operations, limit actions to selected or test items, and provide an undo or recovery path where possible.
Plugin data may remain attached to a board or user profile and influence later plugin behavior.
The docs show persistent board-level and user-level metadata storage. This is normal for plugin settings, but persistent data can carry stale, sensitive, or untrusted state across sessions.
await miro.board.info.setMeta('key', { value: 'data' }); ... await miro.currentUser.setMeta('key', { value: 'data' });Do not store secrets or untrusted instructions in metadata; namespace stored keys, validate data when reading it, and define cleanup or retention behavior.