ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kanboard Skill

v1.0.0

Interact with Kanboard project management via JSON-RPC API. Use when working with Kanboard tasks, projects, boards, columns, swimlanes, comments, subtasks, a...

0· 527·3 current·3 all-time
by@bivex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md describes a Kanboard JSON-RPC integration and expects KANBOARD_URL plus either KANBOARD_API_TOKEN or KANBOARD_USER/KANBOARD_PASS, and relies on curl and jq. The registry metadata incorrectly lists no required env vars and no required binaries — those requirements are necessary for the stated purpose, so the metadata is inconsistent with the actual instructions.
Instruction Scope
The instructions are scoped to calling Kanboard's JSON-RPC endpoint using a provided kb() shell helper; they do not instruct reading arbitrary files or exfiltrating unrelated data. However the helper sends credentials (API token or user/password) as HTTP basic auth and recommends the Application API mode that can skip permission checks — this is powerful and should be used intentionally.
Install Mechanism
Instruction-only skill with no install spec or code files — lowers risk because nothing will be written or executed by an installer. Runtime does assume curl and jq are available on the environment.
!
Credentials
The SKILL.md sensibly requires a Kanboard URL and credentials (proportional to its function), but the registry metadata does not declare these sensitive env vars. That mismatch hides the fact that the skill needs a secret (API token or password). An API token may grant broad access (application API bypasses permission checks), so treat the credential as high-sensitivity.
Persistence & Privilege
No elevated privileges requested: always is false, no config paths modified, and the skill does not request permanent platform presence. Autonomous invocation is allowed (platform default) but not combined here with other high-privilege features.
What to consider before installing
This skill's behavior (KB helper, curl + jq, and Kanboard credentials) is coherent with its description — but the registry metadata incorrectly omits required env vars and binaries. Before installing: 1) only provide a token/account you trust and prefer a limited-permission user account instead of the application token if possible; 2) verify the KANBOARD_URL points to your trusted Kanboard instance; 3) ensure curl and jq are available in the runtime environment; 4) ask the publisher or registry to update the metadata to declare required env vars (KANBOARD_URL, KANBOARD_API_TOKEN or KANBOARD_USER/KANBOARD_PASS) and required binaries (curl, jq); and 5) avoid supplying high-privilege application tokens to untrusted skills — use a scoped user credential when you can.

Like a lobster shell, security has layers — review code before you run it.

latestvk973wp4whbb1kgm022g6n2shvx81nx7h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments