Kanboard
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Kanboard API skill, but it uses a broad application API token that bypasses Kanboard permission checks and includes destructive actions without clear confirmation safeguards.
Install only if you are comfortable giving the agent a Kanboard API token with broad access. Prefer a dedicated limited automation account, confirm every destructive or bulk action manually, and avoid using this skill with production Kanboard data unless you have backups and clear operating rules.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is powerful, the agent may be able to read, create, update, move, close, or delete Kanboard data beyond the permissions a normal user session would have.
The skill directs use of a Kanboard Application API token that bypasses normal permission checks, giving the agent broad account-level authority rather than a clearly scoped user-level permission boundary.
Application API skips permission checks and has no session. Use it for automation.
Use the least-privileged Kanboard credential available, restrict it to a dedicated automation account if possible, and rotate the token if it is exposed.
A mistaken task or project ID, or an overly broad user request, could lead to permanent Kanboard data deletion.
The skill documents direct destructive API calls, including irreversible removals, without visible instructions to require explicit user confirmation, dry runs, or scoped safeguards before execution.
# Remove project (irreversible)
kb removeProject '{"project_id": 1}'
...
# Remove task (irreversible)
kb removeTask '{"task_id": 42}'Require explicit confirmation before delete, disable, move, or bulk-change actions, and verify project/task IDs with the user before calling mutating methods.
Users may not notice before installation that the skill needs a Kanboard API token and local curl/jq tools.
SKILL.md declares environment variables and command-line dependencies, while the registry requirements provided for review list no required env vars, primary credential, or binaries. This is disclosed in the skill text but under-declared in install metadata.
env: - KANBOARD_URL # e.g. https://kanboard.example.com - KANBOARD_API_TOKEN # from Settings → API, used as password with user "jsonrpc" requires: - curl - jq
Declare KANBOARD_URL, KANBOARD_API_TOKEN, curl, and jq in the registry metadata so users can review requirements before enabling the skill.