ClawHub

Bolt Sprint

v0.1.0

Manage software development sprints and stories in Bolt. Use for creating/updating stories, moving tasks through the Kanban workflow (waiting → in_progress →...

0· 300·0 current·0 all-time
byNick Hill@ndhill84
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included instructions and scripts: all network calls are to a Bolt API (BOLT_BASE_URL) and the CLI/script operate on stories/sprints as advertised. However the registry metadata declares no required environment variables or primary credential while the SKILL.md and scripts clearly require BOLT_BASE_URL (required) and optionally BOLT_API_TOKEN. That mismatch is an incoherence between what the skill claims to need in metadata and what it actually needs to run.
Instruction Scope
SKILL.md and the references only instruct the agent to call the Bolt REST API (health, projects, stories, digests, agent session events, file upload endpoints). There are no instructions to read unrelated host files, exfiltrate data to other endpoints, or access credentials beyond the declared Bolt variables. Logging AI activity to the Bolt instance is explicit and expected for this skill.
Install Mechanism
This is instruction-only with an included helper script; there is no install spec that downloads or executes external archives. The README suggests git clone for manual install which is normal. Overall low disk-write/install risk.
!
Credentials
The skill requires BOLT_BASE_URL (mandatory) and may use BOLT_API_TOKEN (optional) — both are proportional to a Bolt API client. But the registry metadata omitted these required env vars. The shipped script also expects system tools (curl, jq, uuidgen or /proc UUID) but the skill metadata declares none; missing binary declarations are an inconsistency. Ask the publisher to update metadata to reflect required env vars and binaries before trusting automated installs.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request system-wide persistence or modify other skills. It does post agent activity to the Bolt instance (expected for its purpose) but does not request elevated platform privileges.
Scan Findings in Context
[base64-block] unexpected: Scanner flagged a base64 block. The README contains a base64-encoded SVG badge (harmless). The metadata shows the pre-scan flag was detected in SKILL.md content, but the included files reveal the base64 appears in README badges. This is probably benign but should be double-checked if the skill were to embed or decode base64 payloads at runtime.
What to consider before installing
This skill appears to implement a normal Bolt REST client and the included bash script is readable and uses curl to talk to the BOLT_BASE_URL. However: (1) the skill registry metadata does not declare the required environment variables (BOLT_BASE_URL mandatory, BOLT_API_TOKEN optional) or helper binaries (jq, uuidgen) — request that the publisher fix the metadata before automated installation; (2) verify the BOLT_BASE_URL you set points to a trusted Bolt instance (don’t point it at an attacker-controlled host); (3) inspect scripts/bolt.sh and the reference docs yourself (they are included) and ensure jq and curl are available or adapt the script; (4) because the source/homepage are not authoritative in the registry entry, prefer installing from the upstream GitHub URL shown in the files (or from a trusted registry) and run the skill in an isolated environment if you want to test it first. If you want higher assurance, ask the publisher to (a) update registry metadata to list required env vars and binaries, (b) provide a homepage/source verification, and (c) remove or explain any embedded binary/base64 content.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c5sph09r0cmkaw2acgnptw581tky6
300downloads
0stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
Nick Hill@ndhill84
latest
Download

Bolt Sprint Management Skill

Bolt is a collaborative software development platform built for human-AI teamwork. This skill lets you manage projects, sprints, and stories through Bolt's REST API.

Configuration

Set these environment variables before using this skill:

export BOLT_BASE_URL="http://localhost:4000"   # Your Bolt API base URL
export BOLT_API_TOKEN="your-token-here"         # Optional: only needed if server was started with BOLT_API_TOKEN

The base curl pattern for authenticated requests:

curl -s \
  -H "Content-Type: application/json" \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/..."

Check connectivity before starting:

curl -s "$BOLT_BASE_URL/health"
# → {"ok":true}

Common Operations

List Projects

curl -s \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/projects"

List Sprints for a Project

curl -s \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/projects/$PROJECT_ID/sprints"

Get Sprint Digest (blockers, story counts, assignee breakdown)

curl -s \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/digests/sprint/$SPRINT_ID"

List Stories

# All stories in a sprint
curl -s \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/stories?sprintId=$SPRINT_ID&limit=100"

# Only blocked stories
curl -s \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/stories?sprintId=$SPRINT_ID&blocked=true"

# Delta sync — only stories changed since a timestamp
curl -s \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/stories?updated_since=2024-01-01T00:00:00Z"

# Request only specific fields to reduce token usage
curl -s \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  "$BOLT_BASE_URL/api/v1/stories?sprintId=$SPRINT_ID&fields=id,title,status,blocked,priority"

Create a Story

curl -s -X POST \
  -H "Content-Type: application/json" \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  -d '{
    "title": "Story title",
    "projectId": "'"$PROJECT_ID"'",
    "sprintId": "'"$SPRINT_ID"'",
    "description": "What needs to be done",
    "acceptanceCriteria": "Definition of done",
    "priority": "high",
    "status": "waiting",
    "points": 3
  }' \
  "$BOLT_BASE_URL/api/v1/stories"

Update a Story

curl -s -X PATCH \
  -H "Content-Type: application/json" \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  -d '{"blocked": true, "priority": "urgent"}' \
  "$BOLT_BASE_URL/api/v1/stories/$STORY_ID"

Move a Story (Kanban transition)

# Single story
curl -s -X POST \
  -H "Content-Type: application/json" \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  -d '{"status": "in_progress"}' \
  "$BOLT_BASE_URL/api/v1/stories/$STORY_ID/move"

# Batch move multiple stories at once
curl -s -X POST \
  -H "Content-Type: application/json" \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  -d '{
    "items": [
      {"id": "story-1", "status": "completed"},
      {"id": "story-2", "status": "completed"}
    ],
    "all_or_nothing": true
  }' \
  "$BOLT_BASE_URL/api/v1/stories/batch/move"

Add a Note to a Story

curl -s -X POST \
  -H "Content-Type: application/json" \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  -d '{"body": "Note content here", "author": "AI", "kind": "note"}' \
  "$BOLT_BASE_URL/api/v1/stories/$STORY_ID/notes"

Log AI Activity

# Post an event to the agent session (creates session if it doesn't exist)
curl -s -X POST \
  -H "Content-Type: application/json" \
  ${BOLT_API_TOKEN:+-H "x-bolt-token: $BOLT_API_TOKEN"} \
  -d '{"message": "Analyzing codebase to implement story", "type": "action"}' \
  "$BOLT_BASE_URL/api/v1/agent/sessions/$SESSION_ID/events"

Story Status Values

StatusMeaning
waitingNot started — in the backlog/queue
in_progressActively being worked on
completedDone

Priority Values

low · med · high · urgent

Key API Behaviors

  • Idempotency: Include Idempotency-Key: <uuid> header on POST/PATCH to safely retry without duplicates (48-hour TTL).
  • Pagination: Responses include page.nextCursor and page.hasMore. Pass cursor=<value> to fetch the next page. Default limit 50, max 200.
  • Field projection: Use ?fields=id,title,status to request only the fields you need — reduces payload size and token cost.
  • Delta sync: Use ?updated_since=<ISO8601> to fetch only items changed since a timestamp — efficient for polling.
  • Error format: All errors return { "error": { "code": "...", "message": "..." } }.
  • Rate limits: Write methods capped at 120 requests/minute per IP.

References

  • Full API endpoint reference: references/api-reference.md
  • Workflow patterns and recipes: references/workflows.md

Comments

Loading comments...