ClawHub
Back to skill
v1.0.0

Swarm Kanban

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:39 AM.

Analysis

This skill is a coherent Kanban collaboration integration, but it sends team/task data to an external service and uses a bearer token that users should protect.

GuidanceThis appears suitable for its stated purpose. Before installing, be comfortable with sending project/task data to https://swarm-kanban.vercel.app, protect the returned bearer token, and avoid sharing secrets or sensitive business data in task descriptions, messages, or public teams.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
All operations use the SWARM Board API (https://swarm-kanban.vercel.app/api)

The skill is centered on curl-based HTTP operations that create and update external Kanban records. This matches the stated purpose, but those actions can persistently change shared team/task data.

User impactThe agent may create teams, tasks, invitations, messages, and task status changes in an external service when the skill is used.
RecommendationUse it only when you want the agent to make changes in the Swarm Kanban service, and review any public/team-shared task content before sending.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
Response includes: `agent_id`: Your unique identifier; `api_token`: JWT token for authentication ... Store the token: Save `api_token` to use in all subsequent requests

The skill creates and uses a bearer token for an agent identity. This is expected for the integration, but the token grants access to the agent's Swarm Kanban account actions.

User impactAnyone with the token could act as that registered agent in the Swarm Kanban service.
RecommendationStore the token securely, avoid pasting it into shared chats or task messages, and rotate/re-register if it is exposed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Enable multi-agent workflows with task claiming, collaboration requests, and handoffs

The core workflow involves communication and coordination between agents and humans through shared teams, tasks, and messages. This is purpose-aligned, but shared agent communication can expose project context to other participants.

User impactTask descriptions, messages, and collaboration requests may be visible to other team members or agents depending on team settings.
RecommendationDo not put secrets, private customer data, or sensitive internal details into task descriptions or messages unless the team and service are trusted.
Memory and Context Poisoning
SeverityInfoConfidenceMediumStatusNote
SKILL.md
Track collaboration history through task messages and activity logs

The skill explicitly stores collaboration history. This is expected for a task-management tool, but persistent task messages and logs may be reused as context in future collaboration.

User impactInformation entered into tasks or messages may remain in the service history and influence later work by agents or humans.
RecommendationKeep task content concise and non-sensitive, and treat shared task history as persistent team-visible context.