HoneyDew
PassAudited by ClawScan on May 1, 2026.
Overview
HoneyDew is a coherent instruction-only skill for managing a local Kanban app, but users should remember it can change/delete board data on a no-auth local API.
This skill is reasonable to install if you want an agent to manage a local HoneyDew Kanban board. Keep the HoneyDew API private, review destructive actions before allowing them, avoid putting secrets in task comments, and only run the separate HoneyDew repo setup scripts if you trust that source.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can make persistent changes to your Kanban boards, including deleting boards or cards, when directed through the skill.
The skill intentionally gives the agent access to API operations that can modify or delete HoneyDew board data.
Creating, updating, moving, or deleting cards ... DELETE /api/boards/{id} ... DELETE /api/cards/{id}Use the skill for intended task-management actions, but require explicit confirmation for deletes, bulk moves, or other hard-to-reverse changes.
Any agent or process that can reach the configured HoneyDew API could operate on the board without separate user credentials.
The API access model has no authentication, so access control depends on keeping the HoneyDew backend local or on a trusted network.
**Auth:** None (local app, no API key required)
Keep the backend bound to localhost or a trusted network, and avoid pointing SMARTIFY_API_URL at an exposed or shared instance unless that is intentional.
The reviewed skill does not include executable setup code, but the separate HoneyDew app setup can execute local scripts.
The skill package is instruction-only, but normal use depends on separately obtaining and running scripts from the HoneyDew repository.
Clone the repo, run `./install.sh`, then `./start.sh`.
Review or trust the HoneyDew repository before running its install/start scripts, and prefer the documented upstream source.
Sensitive details or misleading instructions placed in tasks/comments could persist and influence later work.
Task comments and board state are persistent shared context that future users or agents may read and act on.
Both users and agents can add comments to any task ... You hand off work: Note the current state so the next person (user or agent) has context.
Avoid storing secrets in HoneyDew comments, and treat task text or comments as user/project context rather than unquestionable instructions.