Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pipintama Boards
v1.0.0Create, fetch, share, or change visibility for hosted Pipintama Boards through the MCP server. Use when a user needs a mindmap, flowchart, kanban board, or a...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a service-backed Boards integration (calls to api.pipintama.com, requires a Pipintama API key) which is consistent with the name/description. However, the registry metadata lists no required environment variables or primary credential even though the instructions explicitly say a valid Pipintama API key is required. This mismatch is unexpected and should be clarified.
Instruction Scope
Instructions are narrowly scoped to creating/fetching/sharing boards via the MCP endpoints and include sensible mode- and visibility-selection rules. Two operational privacy-relevant items: (1) the agent is told to preserve user intent in 'source_text' which will be sent to the remote API (possible leakage of sensitive content), and (2) default visibility is 'shared' unless user explicitly requests private — this could unintentionally expose content. The SKILL.md does not instruct reading local files or other unrelated secrets.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk or downloaded during install. This is the lowest-risk install posture.
Credentials
The skill clearly requires a Pipintama API key for operation (Authorization: Bearer or x-api-key), but the registry entry lists no required env vars or primary credential. That omission is disproportionate/incoherent. Aside from the missing declaration, there are no other credentials requested, which is appropriate, but lack of explicit handling for where the API key should be supplied is a risk (accidental use of a broad credential, or failure to surface that the key will be sent to an external service).
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. There is no install-time persistence, no modification of other skills or system-wide settings. These privileges are appropriate for the described functionality.
Scan Findings in Context
[no_code_files] expected: The static scanner found no code because this is an instruction-only skill (SKILL.md). That is expected and means the runtime behavior will be limited to network calls performed by the agent per the instructions.
What to consider before installing
This skill appears to do what it says (create and share hosted boards), but it has two issues you should consider before installing: (1) the SKILL.md requires a Pipintama API key to call api.pipintama.com, yet the skill metadata does not declare any required credential—ask the author how the key is expected to be provided and confirm there's no hidden credential handling; (2) the skill defaults board visibility to 'shared' and will send the user's 'source_text' to a remote service, so do not use it with sensitive data unless you trust pipintama.com and are okay with shared links. If you proceed, use a scoped API key (minimal permissions), prefer explicit private visibility for sensitive content, and verify the endpoint (https://api.pipintama.com/mcp) is legitimate.Like a lobster shell, security has layers — review code before you run it.
agentsvk970a0e6daj7rtzenzr5d98dts849a06boardsvk970a0e6daj7rtzenzr5d98dts849a06latestvk970a0e6daj7rtzenzr5d98dts849a06productivityvk970a0e6daj7rtzenzr5d98dts849a06visualizationvk970a0e6daj7rtzenzr5d98dts849a06
License
MIT-0
Free to use, modify, and redistribute. No attribution required.