Kanban Workflow Export
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running write verbs can change tickets, comments, stages, and created work items in the connected project-management platform.
The skill shells out to PM-platform CLIs and provides workflow verbs that can post comments, move stages, and create work items. This is central to the purpose, but it is real mutation authority.
Anything the authenticated CLI can read/write, this skill can read/write.
Use the narrowest repo/project/workspace scope available and review before enabling or invoking write actions.
The skill may act with the privileges of your existing GitHub, Plane, Linear, or Planka authentication.
Some adapters rely on existing CLI sessions or environment API keys. This is disclosed and expected for PM integrations, but registry credential metadata is otherwise empty.
optional:
- PLANE_API_KEY
- PLANE_WORKSPACE
- LINEAR_API_KEYUse dedicated, least-privilege credentials and confirm the selected adapter scope during setup.
The effective behavior may depend on external adapter binaries or skills installed on the host.
Adapter behavior depends on separately installed CLIs or ClawHub skills. That is purpose-aligned, but users should verify the provenance and versions of those external tools.
plane: ... ClawHub skill `plane` ... linear: ... ClawHub skill `linear` ... via scripts/linear_json.sh
Install only the adapter you need, verify its source, and prefer pinned or reviewed versions where possible.
If enabled, the workflow can continue running on a schedule and may post or update PM items without a manual command each time.
The skill can optionally install a scheduled job. This is disclosed and tied to the workflow purpose, but it is persistent automation.
`--autopilot-install-cron` (creates an OpenClaw cron job that runs `kanban-workflow autopilot-tick`)
Enable the cron option only when you want background automation, and document how to disable or remove the cron job.
Private task details or comments could be exposed in logs or influence the agent if treated as instructions.
Ticket bodies and comments can enter the agent context or logs. This is expected for a PM workflow, but it may include sensitive or untrusted content.
command output (including task titles/bodies/comments) can be printed to stdout/stderr and may be captured by logs.
Avoid running it on highly sensitive tickets unless logging is controlled, and treat ticket/comment text as task data rather than trusted system instructions.