Back to skill

Security audit

SEO to Kanban Workflow

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed SEO workflow that uses a cloud Kanban plugin, so it is not malicious but users should avoid it for confidential content unless they trust that service.

Install only if you intend to use the external `claw-kanban` plugin and cloud dashboard. Verify the plugin publisher/source, understand how the dashboard API key and uploaded cards/files are handled, and do not use it for proprietary SEO briefs, unpublished drafts, or sensitive client content unless you trust the dashboard service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill describes a broad workflow that can attach itself to generic SEO or content requests and, per metadata, appears configured to run persistently (`always: true`). In this context, an overly broad invocation surface increases the chance that unrelated user tasks are silently funneled into a workflow that performs remote dashboard syncing and artifact upload, which can cause unintended data disclosure and unexpected side effects.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly instructs installation of a companion plugin and advertises cloud dashboard synchronization, progress logging, and attachment of generated HTML artifacts, but it does not present a clear upfront warning that task content may be transmitted to a remote service. Because the workflow logs research, progress, and generated outputs to an external dashboard, users may unknowingly expose sensitive prompts, proprietary content, or local artifacts to a third-party cloud service.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.