Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TaskboardAI Skill
v1.0.1Manage tasks and projects using the TaskBoardAI Kanban system. Includes MCP server integration.
⭐ 0· 1.4k·4 current·4 all-time
by@hyddd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and README clearly depend on the external TaskBoardAI npm package and on running node against a specific script path (/opt/homebrew/lib/node_modules/taskboardai/server/mcp/kanbanMcpServer.js). The registry metadata, however, declares no required binaries, no install steps, and no environment variables — that's inconsistent. Requiring the TaskBoardAI package and node is reasonable for a TaskBoard integration, but those requirements should be declared by the skill.
Instruction Scope
Runtime instructions tell the agent to spawn a node MCP server process and to immediately move newly created tasks into 'In Progress' and to 'perform the work' using available tools (web_search, etc.). That gives the agent broad, autonomous authority to run processes and use other tool integrations. The SKILL.md also references missing API keys as a blocker but does not declare what credentials or config the MCP server needs. This scope is broader than the metadata indicates and may cause unexpected autonomous actions.
Install Mechanism
There is no install spec in the registry (the skill is instruction-only), but the README instructs users to run `npm install -g taskboardai` and to clone the repo. Relying on a global npm package is a moderate risk: the code executed when the MCP server is launched comes from that package. The skill does not pin or verify the package source in metadata, and the SKILL.md hardcodes a Homebrew-style path which may not exist on non-macOS systems.
Credentials
The skill declares no required environment variables, yet the instructions mention 'missing API key' as a blocker and rely on an external package that likely needs configuration/credentials. Absence of declared env vars or primary credential is a mismatch — you may need to supply secrets later, and the skill gives no guidance about what and where to set them.
Persistence & Privilege
The skill is not always-enabled and does not request special system-wide privileges. However, it instructs the agent to autonomously start tasks and immediately execute them using other tools; combined with the ability to spawn a node process, this raises operational risk if you do not want autonomous task execution. (Autonomous invocation itself is normal for skills and is not flagged alone.)
What to consider before installing
Before installing: (1) Confirm you trust the TaskBoardAI package source — the MCP server the skill runs is provided by that npm package and will execute code on your system. (2) Ensure you have node installed and decide where the kanbanMcpServer.js file will live; the SKILL.md hardcodes a macOS/Homebrew path which may not match your system. (3) Expect the skill to autonomously create and immediately start tasks and to use other tools (web_search, etc.); if you do not want this behavior, do not enable autonomous invocation or modify AGENTS.md triggers. (4) Ask the skill author to declare required binaries and any environment variables (API keys) formally in the skill metadata so you can audit what credentials are needed. (5) If uncertain, test in an isolated/sandbox environment and inspect the installed TaskBoardAI package contents before running the MCP server.Like a lobster shell, security has layers — review code before you run it.
latestvk97daaycdsz7zp17k8yfe5ez7x82s6kd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.