Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agile Observer
v1.1.0Proactive agile metrics and team health analysis for Trello and Jira boards. Computes cycle time, throughput, WIP, sprint burndown, aging work items, and blo...
⭐ 0· 170·1 current·1 all-time
byOliver Monneke@olivermonneke
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description and the runtime instructions align: it queries Trello and Jira APIs, computes cycle time/throughput/WIP, and generates reports. However, the skill relies on credentials found in workspace secrets (trello-credentials.json / jira-credentials.json) even though the registry metadata lists no required credentials or primary credential — an inconsistency between claimed requirements and runtime needs.
Instruction Scope
SKILL.md instructions stay within the stated purpose: list boards/projects, fetch cards/issues and action histories, classify states, compute metrics, and produce reports. The only external data the instructions say to read are Trello/Jira data and credential files in workspace secrets (which is relevant to the task). There are no instructions to read unrelated system files or to post data to third-party endpoints beyond Trello/Jira.
Install Mechanism
No install spec or code is provided (instruction-only). This minimizes on-disk installation risk because nothing is downloaded or executed beyond what the agent itself performs at runtime.
Credentials
The skill will need API credentials (Trello key/token or Jira instance/email/api_token) to function, and SKILL.md explicitly instructs the agent to look for credential files in workspace secrets. But the registry metadata declares no required env vars or primary credential. That mismatch is concerning because sensitive credentials are needed but not declared by the package metadata. Requesting these credentials is reasonable for the stated purpose, but the omission in metadata reduces transparency.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It allows autonomous invocation (platform default), which is expected for skills; nothing here requests persistent system-wide changes or other skills' credentials.
What to consider before installing
This skill appears to genuinely implement Trello/Jira metrics, but it expects to read credentials from workspace secrets (trello-credentials.json or jira-credentials.json) even though the registry lists no required credentials. Before installing:
- Verify where and how the agent will access credentials. If you must provide credentials, prefer limited-scope API tokens (not full admin credentials) and rotate them after testing.
- Confirm that workspace secrets access is acceptable — the skill will look for credential files in the workspace secret store. If you don't want the agent to access your primary credentials, create a dedicated read-only account or token for metrics only.
- Ask the skill author (or inspect runtime logs) to confirm that reports and data are only sent to Trello/Jira and your chosen delivery channel — clarify what "primary channel" means and where reports will be posted.
- Because metadata omitted the credential requirement, consider exercising extra caution: run the skill in a controlled environment first, audit network requests, and review any generated outputs before enabling recurring scheduling.
If the author updates the registry metadata to declare the required credentials explicitly (or documents an option to provide credentials via the platform's secure credential fields), my confidence that this is coherent would increase.Like a lobster shell, security has layers — review code before you run it.
latestvk976szscv37s9ayv0n2d0czx4182ya4a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.