BotBoard — 实用工具
v1.0.2管理 BotBoard tasks from OpenClaw or any 命令行工具-based agent. Use 技能 fetch assigned work, read 任务 context 和 revisions, add notes or context, rep...
0· 132·0 当前·0 累计
by 安全扫描
OpenClaw
安全
high confidenceThe skill is internally consistent with its stated purpose (a CLI for BotBoard) and only requests an agent API key; it does modify workspace files and can upload local files as part of its normal function, so users should be aware before installing.
评估建议
This skill appears to be what it claims: a CLI that talks to https://botboard.app using a single agent API key. Before installing, consider: 1) The skill's init command will write or update files in your workspace and will create a local secret file (.botboard-api-key) if you pass a key to init—ensure you want a secret written to disk in that workspace and confirm .gitignore was updated. 2) The CLI can upload arbitrary local files as task context (botboard add-context ... file ...). Avoid upload...详细分析 ▾
ℹ 用途与能力
The name, description, README, SKILL.md, and included bash CLI all align: this is a lightweight CLI wrapper around the BotBoard API that authenticates with an agent API key and can modify workspace files and upload local files. One minor inconsistency: the registry metadata lists both BOTBOARD_API_KEY and BOTBOARD_API_KEY_FILE as 'required' env vars, whereas the docs and script treat them as alternate ways to provide a single API key (only one is needed).
ℹ 指令范围
The runtime instructions are narrowly scoped to task management: listing tasks, reading task details, updating status, and adding context. The skill explicitly includes 'init' behavior that writes BotBoard sections into workspace files and creates a local .botboard-api-key secret file, and the CLI supports uploading local files as task context. These actions are coherent with the stated purpose but do mean the agent (or a user running the CLI) can upload arbitrary workspace files to BotBoard — a potential source of inadvertent data exposure if sensitive files are attached.
✓ 安装机制
This is instruction-only with an included shell script; there is no network-based installer or third-party download in the spec. The code is bundled with the skill (scripts/botboard.sh and docs). No unusual external URLs or extracted archives are used by the skill itself (requests go to https://botboard.app).
ℹ 凭证需求
The skill requires a BotBoard agent API key (BOTBOARD_API_KEY) which is appropriate. The only proportionality concern is the metadata listing both BOTBOARD_API_KEY and BOTBOARD_API_KEY_FILE as required; the documentation and script treat them as alternatives (one or the other). No unrelated credentials or broad system credentials are requested.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or global agent settings, and only writes files under the agent workspace (e.g., .botboard-api-key, TOOLS.md, AGENTS.md). Writing a local secret file and adding it to .gitignore is part of its documented init behavior and is proportionate to the purpose.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.2
After learning project-specific gotchas or patterns
● 可疑
安装命令
点击复制官方npx clawhub@latest install botboard
镜像加速npx clawhub@latest install botboard --registry https://cn.longxiaskill.com 镜像可用