Back to skill
Skillv1.0.0
ClawScan security
SEO to Kanban Workflow · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 13, 2026, 10:46 AM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's description matches its instructions, but it asks you to install an external NPM plugin and to use a third‑party dashboard (with an API key) while also being marked always-on — the credential handling and third‑party data uploads are not declared or controlled by the registry metadata.
- Guidance
- This skill is functionally coherent with its description, but it relies on an external NPM plugin and a third‑party web dashboard that will receive your generated content. Before installing or using it: 1) review the 'claw-kanban' plugin source (GitHub) and NPM package to ensure it doesn't read or transmit unrelated files; 2) avoid uploading sensitive data to the dashboard and ask how artifacts/API keys are stored; 3) treat the Dashboard API Key like a secret — verify where the plugin stores it (env var, file, service) and whether it is transmitted securely; 4) consider not enabling always: true or remove the skill if you want tighter control over when it can run; and 5) if you can't audit the plugin, prefer a manual workflow or a vetted alternative. If you want, I can list specific things to check in the plugin repo (install scripts, network calls, file access patterns) or draft safer install/use instructions.
Review Dimensions
- Purpose & Capability
- okThe name and description (SEO workflow + Kanban visualization) align with the SKILL.md. The skill explicitly depends on a companion 'claw-kanban' plugin and a web dashboard to provide the visualization, which fits the stated purpose.
- Instruction Scope
- concernRuntime instructions direct the agent to create/update cloud Kanban cards, attach generated HTML artifacts, and sync progress to an external dashboard (webkanbanforopenclaw.vercel.app). That means user content and artifacts will be transmitted to a third‑party service; the SKILL.md does not limit or warn about what data will be uploaded.
- Install Mechanism
- noteThe registry contains no install spec; SKILL.md instructs the user to install an external plugin via 'openclaw plugins install claw-kanban' and points to an NPM/GitHub ecosystem. Installing that third‑party plugin will run code not vetted by this registry and could access local files or network resources — a normal but nontrivial risk that requires auditing the plugin source before installing.
- Credentials
- concernThe skill declares no required environment variables, yet the instructions tell users to obtain a 'Dashboard API Key' from the external site. The registry metadata does not declare where or how that credential is stored/used. This mismatch (required external credential not declared) raises the risk of accidental credential exposure or poorly documented storage/usage.
- Persistence & Privilege
- concernThe skill is marked always: true in the registry metadata. Always-on status combined with autonomous agent invocation and a requirement to install an external plugin plus a third‑party dashboard increases the blast radius if the plugin or dashboard are malicious or compromised. There's no justification in SKILL.md for always-on.