ClawHub

Kan.bn TODO API

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill matches its Kan.bn TODO-management purpose, but it will use Kan.bn credentials and can change or delete Kan.bn account data when invoked.

Install this only if you want an agent to manage your Kan.bn tasks through the API. Check that any `KANBN_TOKEN`, `KANBN_API_KEY`, and `KANBN_BASE_URL` values are intentional, and require confirmation for deletes, profile changes, or ambiguous task matches.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If invoked on the wrong item, the agent could change or delete a Kan.bn task or update profile information.

Why it was flagged

The skill is designed to perform Kan.bn API mutations, including deletion and profile updates. This is purpose-aligned and explicitly documented, but it affects user account data.

Skill content
Delete TODO:

```bash
python3 scripts/kanbn_todo.py todo-delete --card-id <cardPublicId>
```

Update the personal profile only when the user explicitly asks:
Recommendation

Use it for intended Kan.bn workflows, and have the agent confirm ambiguous matches or destructive operations before proceeding.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone running the skill with a valid token or API key lets it act against the corresponding Kan.bn account within that credential's permissions.

Why it was flagged

The helper can use Kan.bn credentials from the environment or `~/.bashrc`; this is expected for API access and is limited to Kan.bn-related variable names, but it grants account authority.

Skill content
bashrc_env = _load_bashrc_env({"KANBN_BASE_URL", "KANBN_TOKEN", "KANBN_API_KEY"})
Recommendation

Use a scoped Kan.bn credential if available, verify `KANBN_BASE_URL` points to the intended Kan.bn API, and avoid placing tokens in command-line history.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

It is harder to verify the script's origin before granting it Kan.bn account access.

Why it was flagged

The artifact provenance is limited. No remote installer or dependency risk is shown, but the included helper script handles credentials and account mutations.

Skill content
Source: unknown
Homepage: none
Recommendation

Review the included script and prefer an official or otherwise trusted source before using real credentials.