Skillv1.0.1

ClawScan security

SEO to HTML Maker (via Kanban Plugin) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 20, 2026, 3:21 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions require installing a separate 'claw-kanban' plugin and obtaining a Dashboard API key (teammate.work) but the skill metadata declares no required credentials or installs — this mismatch and the implied external data upload are concerning.
Guidance: This skill asks you to install a separate plugin and to get a Dashboard API key that the skill metadata does not declare. Before installing or using it: (1) Inspect the claw-kanban plugin source on GitHub and the OpenClaw plugin registry entry to verify maintainers and recent activity; (2) Review what data the plugin uploads to teammate.work and read that service's privacy/security docs — avoid sending private or regulated content; (3) Use a throwaway/dashboard key or a sandbox environment for initial testing; (4) If you only need local Markdown→HTML conversion, consider using a local library/tool (pandoc, a static site generator, or an internal script) instead of enabling cloud tracking; (5) If you decide to proceed, confirm the plugin's network endpoints, required permissions, and whether it stores artifacts persistently. These steps will reduce the risk of unintended data exfiltration.

Review Dimensions

Purpose & Capability: concernThe skill claims only to be an instruction-only SEO Markdown→HTML pipeline, but the SKILL.md explicitly requires a companion plugin (openclaw plugins install claw-kanban) and a Dashboard API key from teammate.work. The manifest lists no required env vars or credentials, yet runtime behavior depends on an external plugin and cloud dashboard — this is a mismatch between declared requirements and what the workflow actually needs.
Instruction Scope: concernInstructions direct the agent to create Kanban cards, move cards to Done, and attach the final .html as an artifact to a cloud dashboard. That implies uploading content (potentially sensitive) to an external service. The SKILL.md does not limit what content is uploaded and gives the agent autonomy to perform cloud-tracking actions; it also instructs the user to run a plugin install command locally. These data-transmission steps are outside a simple local Markdown→HTML conversion and are not declared in the skill metadata.
Install Mechanism: noteThere is no install spec in the skill bundle itself, but the SKILL.md requires installing a separate OpenClaw plugin via 'openclaw plugins install claw-kanban'. Installing an external plugin is a reasonable design choice, but because the plugin will (per the doc) perform Markdown-to-HTML conversion and cloud tracking, you must trust the plugin's source. The skill points to a GitHub repo (https://github.com/Joeyzzyy/claw-kanban) which is helpful — the plugin should be audited before use.
Credentials: concernThe declared requirements list zero environment variables or credentials, but the README instructs the user to 'Get your free Dashboard API Key' from teammate.work. That key is effectively required for the dashboard integration/visualization but is not declared in the skill metadata. Requesting an API key for an external service is proportionate to dashboard features, but the lack of declaration and the potential to upload content without explicit transparency is a red flag.
Persistence & Privilege: okThe skill is not marked always:true and does not request persistent or system-wide modifications in its own files — it's instruction-only. Autonomous invocation is enabled (default) but not a unique concern here; the larger concern is the external plugin the skill asks you to install.