Miro Web SDK Reference
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: miro-sdk Version: 1.0.0 The bundle is a comprehensive documentation and reference set for the Miro Web SDK, providing instructions and code examples for building Miro plugins. It includes detailed guides on authentication, API usage, and error handling, and explicitly promotes security best practices such as input sanitization, minimal scope requests, and secure data storage in files like best-practices.md and authentication.md. No malicious logic, unauthorized data exfiltration, or prompt injection attempts were identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the quick start may download and run external Miro SDK tooling from npm.
The reference instructs users to install external npm packages as part of SDK setup. This is central to the stated purpose, but package-manager setup still depends on trusted sources.
npm install @mirohq/websdk-cli @mirohq/miro-webplugin
Use official package names, prefer pinned versions or lockfiles, and review generated project files before using them on important boards.
A plugin built from these examples may read or change Miro board content and access profile information after the user grants consent.
The docs describe Miro app scopes that can read and modify board content and access user identity. These permissions are expected for Miro plugins, but users should review them carefully.
board:read | Read board data and items ... board:write | Create, edit, delete items ... identity:read | Get current user info
Request the minimum required scopes, test in a Developer team first, and avoid identity or write permissions unless the plugin truly needs them.
Using this pattern on a real board could delete many or all items.
The reference includes a bulk-delete API example. It is presented as documentation rather than an automatic workflow, but copied blindly it could erase board content.
const items = await miro.board.getAllItems(); await Promise.all(items.map(item => item.delete()));
Require explicit confirmation for destructive operations, limit actions to selected or test items, and provide an undo or recovery path where possible.
Plugin data may remain attached to a board or user profile and influence later plugin behavior.
The docs show persistent board-level and user-level metadata storage. This is normal for plugin settings, but persistent data can carry stale, sensitive, or untrusted state across sessions.
await miro.board.info.setMeta('key', { value: 'data' }); ... await miro.currentUser.setMeta('key', { value: 'data' });Do not store secrets or untrusted instructions in metadata; namespace stored keys, validate data when reading it, and define cleanup or retention behavior.