ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vikunja-complete

v4.0.0

Production-oriented Vikunja task/project management skill with deterministic commands and strong validation.

0· 241·0 current·0 all-time
by@kohlhammond
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match behavior: the skill implements a CLI wrapper (vikunja.sh) that talks to the Vikunja API. Required binaries (curl, jq) and required env vars (VIKUNJA_URL, VIKUNJA_TOKEN) are consistent with that purpose.
Instruction Scope
SKILL.md and the included scripts constrain operations to the Vikunja API (tasks, comments, labels, attachments, webhooks, tokens, etc.). The optional smoke test will create/modify resources (projects, tasks, labels, tokens) on the target Vikunja instance — this is expected for an integration but is state-modifying, so run against a test instance or with a limited-scope token if you want to avoid side effects.
Install Mechanism
No external install/download spec is present; the package is instruction+script-based. There are no remote URLs being downloaded or extracted during install, which lowers supply-chain risk.
Credentials
Only VIKUNJA_URL and VIKUNJA_TOKEN (plus optional retry env vars) are required. These are appropriate and proportionate for an API client. Note: VIKUNJA_TOKEN is sensitive and grants access to the target instance.
Persistence & Privilege
Skill is not marked always:true and does not request elevated platform persistence. It does not modify other skills or system-wide configs; autonomous invocation is allowed at the platform default level (not an additional concern here).
Assessment
This package appears to do what it says: a deterministic CLI for Vikunja that will call the Vikunja API. Before enabling it: (1) only provide a VIKUNJA_TOKEN with the minimum permissions needed (consider creating a scoped/test token); (2) run the included smoke test against a non-production Vikunja instance if you want to validate behavior (the smoke test creates projects/tasks/labels/tokens); (3) review the vikunja.sh script yourself (it is included) to confirm no unexpected network endpoints or persistence are added; and (4) because the skill author is not a known publisher in the metadata, prefer using it in a sandbox or with limited credentials until you are comfortable.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7dh9e4e3hetzgj57g679g182sv2j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binscurl, jq
EnvVIKUNJA_URL, VIKUNJA_TOKEN

Comments