Kanban Workflow
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill can add comments and update work items in the configured project-management system.
The adapter can use the authenticated GitHub CLI to post comments; similar workflow verbs can change stages or create items. This is central to the skill's purpose, but it is real account mutation.
await this.gh.run([
'issue',
'comment',
String(id),
'--repo',
this.repo,
'--body',
body,
]);Use it only with repos/projects where automated workflow updates are acceptable, and review the configured adapter scope before running write verbs.
Actions are performed as the user/account logged in to the selected PM CLI.
The skill does not store tokens itself, but it acts through already-authenticated local CLI sessions, inheriting those account permissions.
Call existing CLIs (e.g. `gh`, `planka-cli`, `plane-cli`, `linear-cli`), relying on their auth/session.
Authenticate those CLIs with least-privilege accounts or scopes where possible, and verify the selected repo/project/team/board in config.
Security and behavior also depend on the external CLI tools you install and authenticate.
The skill depends on external command-line tools that are outside this package's reviewed source and are not installed or pinned by the skill metadata.
Adapters are **CLI-auth** integrations... GitHub CLI (`gh`)... `planka-cli`... `plane-cli`... `linear-cli`
Install CLIs only from their official sources, keep them updated, and confirm which binary is on your PATH before using the skill.
Ticket descriptions, comments, attachments, and related metadata may be surfaced to the agent and potentially included in later workflow decisions or outputs.
The skill is designed to load detailed work-item content and comments into the agent workflow. This is purpose-aligned, but the retrieved context may contain sensitive business information.
Output: title, current stage, URL, **full body/description**... and the **last 10 comments**... including **private/internal** comments where supported.
Avoid using the skill on projects containing secrets or highly sensitive private comments unless your agent environment is trusted.
If enabled, the skill may continue posting status updates while tasks remain in progress.
The documented automation can repeatedly post PM comments without per-comment manual review if a runtime enables it. It is disclosed and purpose-aligned, but it is autonomous recurring activity.
While an item is in `stage:in-progress`, Kanban Workflow can post an **automatic progress update comment every 5 minutes**.
Enable recurring progress updates deliberately, monitor the first runs, and make sure there is a clear way to stop the runtime or disable the automation.