Skillv1.0.0

ClawScan security

Nerve Kanban Bwm · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 16, 2026, 6:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's API documentation is self-consistent for managing a local Nerve Kanban server, but it omits authentication/endpoint configuration details and exposes actions (spawn/execute) that could let an agent spin up sub-sessions — these gaps merit caution before installing.
Guidance: This skill appears to be a straightforward API reference for a Nerve Kanban server and is instruction-only (no install). Before installing: 1) Confirm where the agent will point the skill (what base URL) and whether that server requires authentication — the SKILL.md does not explain auth or how credentials are provided. 2) If the server is not local/dev-only, require secure transport and credentials (API token, OAuth, etc.) and ensure the skill is configured to use them. 3) Note that the API can spawn subagent sessions via the execute endpoint — if you allow autonomous model invocation, the agent could start background runs; consider disabling autonomous invocation or restricting the skill to trusted agents. 4) Test the skill in an isolated/dev environment first and review the actual Nerve server's auth and access controls before giving it network access to production systems.

Review Dimensions

Purpose & Capability: noteThe name, description, and listed endpoints align: all declared endpoints and actions (CRUD, proposals, workflow, config) match a Kanban management skill. However, the SKILL.md does not declare how the agent learns the server origin (it only gives an example http://localhost:3000) nor does it mention any authentication requirements—this omission is notable because a production Kanban API would typically require auth. The lack of required env/config for the base URL or credentials is an unexplained choice.
Instruction Scope: noteThe instructions are narrowly scoped to calling the documented REST endpoints and handling CAS/version conflicts; there are no directives to read local files or unrelated system state. One important capability described is POST /api/kanban/tasks/:id/execute which 'spawns a gateway subagent session' and relies on background pollers — that means using the skill can cause agent sessions to be created and run autonomously via the Nerve server. That behavior is within the skill's stated purpose (execute tasks), but it increases the operational blast radius and should be explicit in policy/authorization controls.
Install Mechanism: okInstruction-only skill with no install spec and no code files. This is low-risk from an install perspective — nothing is downloaded or written to disk by the skill package itself.
Credentials: noteThe skill declares no required environment variables or primary credential. This can be fine for a local/dev-only Kanban server, but it's unexpected for a networked production API. If the Nerve server requires authentication, the skill provides no mechanism for supplying or restricting credentials. Absence of any auth/config guidance is a proportionality gap worth clarifying.
Persistence & Privilege: notealways:false and default autonomous invocation are appropriate. However, because the API includes an endpoint that spawns agent sub-sessions, allowing the model to autonomously invoke this skill (disable-model-invocation=false) could let the agent create background runs. This is not inherently incorrect but increases risk; consider gating autonomous calls or limiting which models/commands are allowed to trigger /execute.