ClawHub
Back to skill
v1.0.0

Vestaboard

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:16 AM.

Analysis

The artifacts match a Vestaboard read/write helper, but installing it means giving the agent a token that can change the board’s displayed message.

GuidanceInstall this only if you want the agent to read and update your Vestaboard. Keep the Vestaboard token in environment secrets, do not override the API base except to a trusted Vestaboard endpoint, preview messages when needed, and use write-layout only with trusted layout JSON files.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/vb.js
method: 'POST'

The write functions send POST requests to the configured Vestaboard API, which is expected for this skill but means the tool can change the board's displayed content.

User impactA requested write can immediately change what appears on the Vestaboard.
RecommendationUse preview/read before writing when appropriate, and require an explicit user request or confirmation before write/write-layout actions.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/vb.js
const raw = readFileSync(path, 'utf8');
  const layout = JSON.parse(raw);

The write-layout command reads a caller-supplied local file and posts the parsed JSON as the layout. This is purpose-aligned for layout files, but it is not path-scoped or shape-validated.

User impactIf the wrong JSON file path is supplied, its contents could be sent to the Vestaboard API instead of a valid 6x22 layout.
RecommendationUse only trusted files such as content/layouts/*.json for write-layout, and consider validating that layouts are 6 rows by 22 numeric character codes before posting.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
SKILL.md
npm install

Setup is a user-directed npm install rather than an automatic install spec. The included package files show a small, purpose-aligned dependency, but users should still install only from the reviewed package.

User impactInstalling the skill may fetch npm dependencies needed by the local CLI.
RecommendationRun npm install only from the reviewed skill directory and prefer using the provided package-lock.json.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
ENV.md
`VESTABOARD_TOKEN` (preferred) — used as `X-Vestaboard-Token` ... `VESTABOARD_RW_KEY` (legacy) — used as `X-Vestaboard-Read-Write-Key`

The skill uses Vestaboard credentials from environment variables. This is expected for reading and writing the board, but the registry metadata does not declare a primary credential or required env vars.

User impactAnyone who can use the configured token can read or update the associated Vestaboard.
RecommendationStore the token only in environment/secret management, avoid putting it in prompts or logs, rotate it if exposed, and only set VESTABOARD_API_BASE to trusted Vestaboard endpoints.