ClawHub
Back to skill
v0.2.0

Movedone

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:37 AM.

Analysis

This is a straightforward local Movedone API wrapper, but it uses a full-access bearer token and includes commands that can change or delete your projects and tasks.

GuidanceInstall only if you are comfortable giving OpenClaw a full-access local Movedone API token. Keep the token secret and double-check before allowing project, column, or task deletion commands.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
### Delete a project

```bash
curl -s -X DELETE "$MOVEDONE_BASE_URL/projects/{project_id}"

The skill documents destructive API operations through curl. This is purpose-aligned for a kanban management skill, but incorrect use could delete user project data.

User impactIf the agent or user runs the wrong delete or update command, Movedone projects, columns, tasks, comments, or links could be changed or removed.
RecommendationConfirm resource IDs and intended actions before running update or delete commands, and consider requiring explicit user confirmation for destructive operations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
The base URL and bearer token provide full access to your local Movedone HTTP API, so keep them secret

The skill requires an API bearer token with full local Movedone access. This is disclosed and expected for the integration, but it is sensitive authority.

User impactAnyone who obtains the bearer token could access the local Movedone API with the same authority and modify or delete data.
RecommendationKeep the token private, use the local API URL only, and rotate or revoke the token if it may have been exposed.