ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SEO to Kanban Workflow

v1.0.0

A complete SEO workflow skill that guides your agent from keyword research to HTML generation, while visually tracking every step on a cloud Kanban dashboard...

0· 166·0 current·0 all-time
byJoey.Z@joeyzzyy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (SEO workflow + Kanban visualization) align with the SKILL.md. The skill explicitly depends on a companion 'claw-kanban' plugin and a web dashboard to provide the visualization, which fits the stated purpose.
!
Instruction Scope
Runtime instructions direct the agent to create/update cloud Kanban cards, attach generated HTML artifacts, and sync progress to an external dashboard (webkanbanforopenclaw.vercel.app). That means user content and artifacts will be transmitted to a third‑party service; the SKILL.md does not limit or warn about what data will be uploaded.
Install Mechanism
The registry contains no install spec; SKILL.md instructs the user to install an external plugin via 'openclaw plugins install claw-kanban' and points to an NPM/GitHub ecosystem. Installing that third‑party plugin will run code not vetted by this registry and could access local files or network resources — a normal but nontrivial risk that requires auditing the plugin source before installing.
!
Credentials
The skill declares no required environment variables, yet the instructions tell users to obtain a 'Dashboard API Key' from the external site. The registry metadata does not declare where or how that credential is stored/used. This mismatch (required external credential not declared) raises the risk of accidental credential exposure or poorly documented storage/usage.
!
Persistence & Privilege
The skill is marked always: true in the registry metadata. Always-on status combined with autonomous agent invocation and a requirement to install an external plugin plus a third‑party dashboard increases the blast radius if the plugin or dashboard are malicious or compromised. There's no justification in SKILL.md for always-on.
What to consider before installing
This skill is functionally coherent with its description, but it relies on an external NPM plugin and a third‑party web dashboard that will receive your generated content. Before installing or using it: 1) review the 'claw-kanban' plugin source (GitHub) and NPM package to ensure it doesn't read or transmit unrelated files; 2) avoid uploading sensitive data to the dashboard and ask how artifacts/API keys are stored; 3) treat the Dashboard API Key like a secret — verify where the plugin stores it (env var, file, service) and whether it is transmitted securely; 4) consider not enabling always: true or remove the skill if you want tighter control over when it can run; and 5) if you can't audit the plugin, prefer a manual workflow or a vetted alternative. If you want, I can list specific things to check in the plugin repo (install scripts, network calls, file access patterns) or draft safer install/use instructions.

Like a lobster shell, security has layers — review code before you run it.

latestvk974czynhbvdzzxh68yxphm7ws82t2rx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis

Comments