Is bivex/kanboard-skill safe?

https://github.com/openclaw/skills/tree/main/skills/bivex/kanboard-skill

90
SAFE

The bivex/kanboard-skill is a well-structured Kanboard JSON-RPC API reference skill with no detectable prompt injection, malicious code, or exfiltration mechanisms. The SKILL.md contains only legitimate API documentation; the install was clean with no unexpected filesystem changes, network connections, or hook execution. The primary risks are behavioral: the skill grants unrestricted admin access via the Application API (which explicitly bypasses permission checks), documents irreversible destructive operations without confirmation safeguards, and enables admin account creation — all capabilities that could cause significant damage if an agent misinterprets user intent. Canary file reads logged during the session precede the git clone by 5 seconds and are attributed to the Oathe audit infrastructure rather than the skill itself, and the canary integrity check confirms no file was modified.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 96/100 · 20%
Clone Behavior 80/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (7)

MEDIUM Application API bypasses all permission checks -15

The skill explicitly instructs the agent to use the Application API token (user 'jsonrpc') which the skill itself notes 'skips permission checks and has no session.' This grants the LLM agent unrestricted admin access to the entire Kanboard instance, regardless of what project-level restrictions might exist.

MEDIUM Multiple irreversible destructive operations without confirmation guidance -8

The skill documents removeProject ('irreversible'), removeTask ('irreversible'), removeUser, removeColumn, and removeSwimlane without any instruction to require user confirmation before execution. An agent acting on vague instructions could mass-delete data.

LOW Admin user creation with arbitrary role assignment -5

The skill documents createUser with roles including app-admin. An agent could be prompted or tricked into creating a privileged backdoor account on the Kanboard instance.

LOW Canary credential files accessed during monitoring session -20

Inotify monitoring recorded OPEN/ACCESS/CLOSE_NOWRITE events against all six canary credential files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) at 08:09:40 — approximately 5 seconds before the git clone began — and again post-install. Timing and the fact that no executable in the skill could trigger these reads strongly indicate the Oathe audit system's baseline and final verification routines are responsible. Canary integrity check confirms all files intact with no modification.

LOW API credentials transmitted in every API call via HTTP Basic Auth -12

The kb() helper encodes KANBOARD_USER and KANBOARD_PASS directly into curl's -u flag on every call. While this is standard for HTTP Basic Auth, the credentials are transmitted in plaintext base64 on each request and would be exposed if KANBOARD_URL resolves to an attacker-controlled endpoint (e.g., via separate prompt injection changing the env var).

INFO Shell function defined in skill instructions -4

The kb() shell function is presented as something the agent should define and use. This is inline with the skill's intended operation model but means any shell injection in method names or params could propagate. The params field is passed directly as a JSON string without sanitization guidance.

INFO Broad trigger keyword set increases unintended activation surface -8

The skill's trigger list includes generic terms like 'kanban task' which could cause unintended activation when a user mentions these terms in non-Kanboard contexts, potentially leading the agent to make API calls the user did not intend.