ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vibe Kanban MCP

v0.1.1

Control the local vibe-kanban MCP server to list orgs/projects/issues, create/update issues, manage workspaces, and find dashboard ports on macOS.

0· 276·1 current·1 all-time
byBurak@devbd1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md describes exactly the claimed functionality (mcporter calls to a local vibe-kanban MCP and macOS port discovery). However the registry metadata lists no required binaries/env vars while the docs explicitly require mcporter, a running vibe-kanban instance, and optionally lsof/netstat/jq. This metadata mismatch is an inconsistency the author should have declared.
Instruction Scope
Instructions are narrowly scoped to running mcporter RPC calls, inspecting local processes (ps, lsof/netstat), and curling localhost ports to verify the UI. They do not ask for external credentials or exfiltrate data; the commands operate on local services and ports as required for the stated goal.
Install Mechanism
No install spec is present (instruction-only), so nothing is automatically downloaded or written by the platform. The SKILL.md contains an example of configuring mcporter to run 'npx ... vibe-kanban@latest', which would fetch code at runtime via npm if the user follows that example — this is a user-side action, not an automatic install described in the skill manifest.
Credentials
The skill declares no required environment variables or credentials and its instructions do not reference secrets. Required artifacts (mcporter, vibe-kanban process) are proportionate to the task. No unrelated service credentials are requested.
Persistence & Privilege
The skill does not request always: true and has no install-time persistence. It is instruction-only and does not modify other skills or global agent settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk factors.
What to consider before installing
This skill appears to do what it says: it gives shell commands to control a locally running vibe-kanban MCP and to find/verify dashboard ports. Before installing or using it, note two things: (1) the registry metadata omits required binaries (mcporter and a running vibe-kanban) even though the SKILL.md requires them—verify those prerequisites yourself; (2) the example mcporter config uses 'npx ... vibe-kanban@latest', which will download and run code from npm if you follow it—only run that if you trust the package source. Because this is an instruction-only skill, nothing is automatically installed by the platform, but the provided commands will inspect local processes (ps, lsof/netstat) and probe localhost ports (curl), which is expected for this purpose but does expose process/port information on your machine. If you are unsure, run the listed commands manually and inspect any packages (e.g., the vibe-kanban npm package) before executing them.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707et3mvw0fxj3qxjxzww4v182d3sn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments