ClawHub

carl's corkie -- a digitial corkboard for your agent

v1.0.0

Post and manage real-time corkboard pins, lamp cues, deleted-history recovery, and multi-track project pipeline work for the Carl's Corkie dashboard. Use whe...

0· 127·0 current·0 all-time
by@zheroz00

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zheroz00/corkboard-dashboard.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "carl's corkie -- a digitial corkboard for your agent" (zheroz00/corkboard-dashboard) from ClawHub.
Skill page: https://clawhub.ai/zheroz00/corkboard-dashboard
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install corkboard-dashboard

ClawHub CLI

Package manager switcher

npx clawhub@latest install corkboard-dashboard
Security Scan
Capability signals
CryptoRequires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included scripts and docs: installer clones a corkboard repo, builds a Node app, and the CLI helper posts pins to that app. Required tools (node, npm, git, curl, jq) and the .env token are consistent with running a local web dashboard.
Instruction Scope
Runtime instructions and the helper script explicitly read CORKBOARD_TOKEN from a local .env and curl the dashboard API. This is expected for the stated purpose, but the docs also note the client bakes VITE_CORKBOARD_TOKEN into the frontend bundle (so the token may be exposed if the frontend is served publicly). The SKILL.md advises keeping .env private and not exposing the service without a reverse proxy.
Install Mechanism
Installer is a shell script that clones the project from the declared GitHub repo and runs 'npm install' and 'npm run build' (optionally uses PM2). Cloning from GitHub and running npm is appropriate for a Node app, but it carries the usual supply-chain risk (npm postinstall scripts, third-party dependencies). The repo URL is a GitHub URL (not a random IP/shortener), which is lower risk than arbitrary downloads.
Credentials
The skill metadata declares no required env vars, which is accurate; runtime uses CORKBOARD_TOKEN and optional integration vars (HA_URL/HA_TOKEN, LAMP_SERVER, CORKBOARD_ALERT_URL) that are relevant to optional features. These variables are proportionate to the dashboard's function, but be careful: HA_TOKEN and CORKBOARD_TOKEN are sensitive. Also note VITE_CORKBOARD_TOKEN is intentionally baked into the client bundle on build, which can expose the token to anyone who can load the frontend.
Persistence & Privilege
always:false and normal autonomous invocation. Installer copies the skill into the OpenClaw workspace and starts a local service (PM2 optional). It does not modify other skills or system-wide configs beyond typical service startup and workspace registration.
Assessment
This skill appears to do what it says: install and run a local corkboard web app and provide a CLI to post pins. Before installing, verify the GitHub repo is trustworthy (it's the repo the installer clones). Be aware of two practical risks: (1) npm install runs third-party packages—this is normal but a supply-chain exposure; run the installer on a machine you control and review package.json if concerned. (2) The dashboard auto-generates and embeds a bearer token (VITE_CORKBOARD_TOKEN) into the frontend build; if you expose the frontend or the API publicly, that token could be leaked. Keep the .env private, do not publish ports to the public internet without proper reverse-proxy/auth, and rotate the CORKBOARD_TOKEN if you suspect it was exposed. If you plan to integrate Home Assistant, treat HA_TOKEN as highly sensitive and avoid putting it on any publicly reachable instance.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

📌 Clawdis
latestvk971nkj3pyxpp420nh5ggvny61856fh4
127downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@zheroz00
latest
Download

Corkboard Dashboard

Use this skill when you need to put something actionable on the board right now. Prefer a pin for one-off work or a project for multi-step work with tracks, handoffs, and task checklists.

Quick Start

  1. Install or update the dashboard:
export CORKBOARD_REPO="https://github.com/Grooves-n-Grain/carls-corkie.git"   # first-time installs only
bash {baseDir}/scripts/install.sh
  1. Point tooling at the running API. Use localhost on the same machine, the machine's LAN IP from another trusted device, or a public reverse-proxy hostname if the operator has exposed /api/* externally (see the main README). The dashboard requires a bearer token; the helper script auto-loads it from .env in the install directory:
CORKBOARD_API=http://localhost:3010
# or LAN:
CORKBOARD_API=http://<lan-ip>:3010
# or public reverse-proxy hostname (API routes only, frontend not exposed):
CORKBOARD_API=https://corkie-api.example.com

# CORKBOARD_TOKEN is auto-loaded from .env. To set it manually:
export CORKBOARD_TOKEN="$(grep '^CORKBOARD_TOKEN=' /path/to/dashboard/.env | cut -d= -f2-)"
  1. Post work with the bundled helper (it adds the auth header for you):
bash {baseDir}/scripts/corkboard.sh add task "Review PR" "Auth refactor complete" 1
bash {baseDir}/scripts/corkboard.sh add alert "Server down" "API returning 503s" 1
bash {baseDir}/scripts/corkboard.sh add link "Error logs" "https://logs.example.com/errors"
bash {baseDir}/scripts/corkboard.sh add-opportunity "Wholesale inquiry" "Follow up with studio buyer" 2
bash {baseDir}/scripts/corkboard.sh add-briefing "Morning briefing" "## Today\n- Ship the fix\n- Reply to supplier"
  1. Use the REST API directly for projects, cellar ideas, history/restore, track updates, and lamp state. Every request to /api/* needs the Authorization: Bearer $CORKBOARD_TOKEN header:
curl -X POST "$CORKBOARD_API/api/pins" \
  -H "Authorization: Bearer $CORKBOARD_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"type":"task","title":"Review PR","content":"Auth refactor complete","priority":1}'

curl -X POST "$CORKBOARD_API/api/projects" \
  -H "Authorization: Bearer $CORKBOARD_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"name":"Launch blog","emoji":"✍️","phase":"build","tracks":[{"name":"Write posts","owner":"claude"},{"name":"Review","owner":"you"}]}'

Editing Pins

Task and Note pins can be edited inline on the dashboard by double-clicking the title. From the API, use PATCH /api/pins/:id to update any field:

# Update a pin's title and content
curl -X PATCH "$CORKBOARD_API/api/pins/<pin-id>" \
  -H "Authorization: Bearer $CORKBOARD_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"title":"Updated title","content":"New content here"}'

Pick The Right Surface

  • Use a pin for one-off tasks, alerts, links, notes, briefings, tracking updates, or short-lived reminders.
  • Use a project for multi-step work with phases, tracks, and task lists shared between the agent and the human.
  • Use projectStatus: "cellar" or POST /api/projects/:id/cellar for future ideas that should stay off the active board until they are ready.
  • Tracks are owned by claude, you, or shared; finishing a track can automatically create a follow-up task pin for the next handoff.
  • Use deleted pin history plus restore routes when something should come back to the board instead of being recreated from scratch.
  • Prefer priority: 1 for urgent work, 2 for the normal default, and 3 for low urgency.
  • The dashboard ships with a shared bearer token (CORKBOARD_TOKEN) generated on first run. Keep .env private; the helper script reads the token from there automatically. To disable auth (only behind a reverse-proxy auth layer), set CORKBOARD_AUTH=disabled in .env.

Common Actions

bash {baseDir}/scripts/corkboard.sh list
bash {baseDir}/scripts/corkboard.sh complete <pin-id>
bash {baseDir}/scripts/corkboard.sh delete <pin-id>
bash {baseDir}/scripts/corkboard.sh add-email <from> <subject> [preview] [email_id]
bash {baseDir}/scripts/corkboard.sh add-github <owner/repo> [description] [stars] [forks]
bash {baseDir}/scripts/corkboard.sh add-idea <title> [verdict] [summary] [scores_json] [competitors] [effort]
bash {baseDir}/scripts/corkboard.sh add-tracking <number> <carrier> [status] [eta] [url]
bash {baseDir}/scripts/corkboard.sh add-article <title> <url> <source> <tldr> [bullets_json] [tags_json]
bash {baseDir}/scripts/corkboard.sh add-opportunity <title> [content] [priority]
bash {baseDir}/scripts/corkboard.sh add-briefing <title> <content>
bash {baseDir}/scripts/corkboard.sh add-twitter <title> <content> [url]
bash {baseDir}/scripts/corkboard.sh add-reddit <title> <content> [url]
bash {baseDir}/scripts/corkboard.sh add-youtube <youtube-url>
curl -H "Authorization: Bearer $CORKBOARD_TOKEN" "$CORKBOARD_API/api/pins/history/deleted"
curl -X POST -H "Authorization: Bearer $CORKBOARD_TOKEN" "$CORKBOARD_API/api/pins/<pin-id>/restore"
curl -X POST -H "Authorization: Bearer $CORKBOARD_TOKEN" "$CORKBOARD_API/api/projects/<project-id>/cellar"
curl -X POST -H "Authorization: Bearer $CORKBOARD_TOKEN" "$CORKBOARD_API/api/lamp/waiting"

References

  • API routes, socket events, project statuses, track attachments, deleted-history behavior, and lamp controls: {baseDir}/references/api.md
  • Install, LAN access, env vars, helper script usage, and trusted-network notes: {baseDir}/references/setup.md
  • Pin types, specialized payload shapes, and example request bodies: {baseDir}/references/pin-types.md

Comments

Loading comments...