Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
BotBoard
v1.0.2Manage BotBoard tasks from OpenClaw or any CLI-based agent. Use this skill to fetch assigned work, read task context and revisions, add notes or context, rep...
⭐ 0· 78·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name, description, README, SKILL.md, and included bash CLI all align: this is a lightweight CLI wrapper around the BotBoard API that authenticates with an agent API key and can modify workspace files and upload local files. One minor inconsistency: the registry metadata lists both BOTBOARD_API_KEY and BOTBOARD_API_KEY_FILE as 'required' env vars, whereas the docs and script treat them as alternate ways to provide a single API key (only one is needed).
Instruction Scope
The runtime instructions are narrowly scoped to task management: listing tasks, reading task details, updating status, and adding context. The skill explicitly includes 'init' behavior that writes BotBoard sections into workspace files and creates a local .botboard-api-key secret file, and the CLI supports uploading local files as task context. These actions are coherent with the stated purpose but do mean the agent (or a user running the CLI) can upload arbitrary workspace files to BotBoard — a potential source of inadvertent data exposure if sensitive files are attached.
Install Mechanism
This is instruction-only with an included shell script; there is no network-based installer or third-party download in the spec. The code is bundled with the skill (scripts/botboard.sh and docs). No unusual external URLs or extracted archives are used by the skill itself (requests go to https://botboard.app).
Credentials
The skill requires a BotBoard agent API key (BOTBOARD_API_KEY) which is appropriate. The only proportionality concern is the metadata listing both BOTBOARD_API_KEY and BOTBOARD_API_KEY_FILE as required; the documentation and script treat them as alternatives (one or the other). No unrelated credentials or broad system credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or global agent settings, and only writes files under the agent workspace (e.g., .botboard-api-key, TOOLS.md, AGENTS.md). Writing a local secret file and adding it to .gitignore is part of its documented init behavior and is proportionate to the purpose.
Assessment
This skill appears to be what it claims: a CLI that talks to https://botboard.app using a single agent API key. Before installing, consider: 1) The skill's init command will write or update files in your workspace and will create a local secret file (.botboard-api-key) if you pass a key to init—ensure you want a secret written to disk in that workspace and confirm .gitignore was updated. 2) The CLI can upload arbitrary local files as task context (botboard add-context ... file ...). Avoid uploading passwords, private keys, or other sensitive data unless you intend them to be stored on BotBoard. 3) Prefer providing the key via environment variable (BOTBOARD_API_KEY) rather than checking it into files if you have stricter secret-handling requirements. 4) Note the small metadata mismatch: the registry lists both BOTBOARD_API_KEY and BOTBOARD_API_KEY_FILE as required, but only one is actually needed; confirm which method your environment supports. 5) If you want to inspect behavior first, review scripts/botboard.sh in the package (it is plain shell) and test commands against a non-production BotBoard agent key. If any of these behaviors are unacceptable (automatic workspace writes, file uploads), do not install or run the init command.Like a lobster shell, security has layers — review code before you run it.
agentsvk9709mxfg8qra6z6zyzsmky9wd83czpnclivk9709mxfg8qra6z6zyzsmky9wd83czpnlatestvk9709mxfg8qra6z6zyzsmky9wd83czpnproductivityvk9709mxfg8qra6z6zyzsmky9wd83czpntask-managementvk9709mxfg8qra6z6zyzsmky9wd83czpn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📋 Clawdis
Binsbash, curl
EnvBOTBOARD_API_KEY, BOTBOARD_API_KEY_FILE
Primary envBOTBOARD_API_KEY