Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cline Kanban
v1.0.0Delegate coding tasks to Cline CLI (open-source autonomous coding agent). Model-agnostic, supports all major providers. Use for one-shot tasks, CI/CD automat...
⭐ 0· 10·0 current·0 all-time
byAndreas Varotsis@andreasthinks
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md clearly documents a CLI-based coding agent (cline) and patterns for delegating tasks; that purpose matches the content. However the skill metadata lists no required binaries or runtime but the instructions state 'Requires Node.js 20+' and instruct installing 'npm install -g cline' — a mismatch between claimed requirements and the runtime instructions.
Instruction Scope
Instructions explicitly direct reading the entire codebase, producing exact file:line replacements, running headless changes with --yolo (auto-approve all file changes), piping runtime output into the agent, and using subagents that are asked to read full repo context. Those are within a coding-agent's remit, but headless auto-approval and blanket read/write of repo files give the agent broad discretion and risk unintended or large-scale changes if misused.
Install Mechanism
This is an instruction-only skill with no install spec; the doc tells the user to install cline via npm (public registry) which is a common, traceable method. There are no opaque download URLs or archive extraction instructions in the skill itself.
Credentials
The SKILL.md expects provider API keys and shows how to run 'cline auth -k <api_key>' and describes config files at ~/.cline/data/globalState.json and ~/.cline/data/secrets.json. The skill metadata did not declare any required credentials or a primaryEnv. The implied requirement to provide model/provider API keys and that those keys are stored on disk (secrets.json) should be considered when evaluating confidentiality and attack surface.
Persistence & Privilege
The skill is not force-enabled (always:false) and does not request to modify other skills or system-wide agent settings. It instructs using a separate tool (cline) that writes its own config files, which is normal for a CLI-based agent.
What to consider before installing
Before installing or using this skill, note that: (1) the SKILL.md requires Node.js and the external 'cline' package but the registry metadata doesn't declare those dependencies — ensure you or your environment provide Node.js and audit the cline package (npmjs page, GitHub repo) before installing; (2) the docs instruct headless, auto-approved edits (--yolo) and pipeline use that will commit code automatically — avoid using auto-approve in sensitive repos and prefer manual review or sandboxed runs; (3) provider API keys are expected and will be written to ~/.cline/data/secrets.json by the cline tool — consider the security of that file (permissions, encryption), the scope of keys you provide, and rotate/revoke keys if needed; (4) the skill's source/homepage is not listed in the registry metadata — verify the upstream project (https://cline.bot/cli) and confirm the package you install is the intended one; (5) when in doubt, run cline in an isolated environment (ephemeral VM, container, or forked repo) with limited credentials and no push permissions until you're comfortable with its behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk97dbeqz61yz2nwsd16emdej5h84ath2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.