← 返回 Skills 市场
Miro board
作者
Simone Ferrario
· GitHub ↗
· v1.0.0
885
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install miro-workshop-assistant
功能描述
Workshop photos/notes -> an editable Miro diagram (real FRAMES as containers + stickies + connectors) with idempotent dedupe, rollback, undo and change commands, using the local script miro-push.mjs and env vars.
安全使用建议
What to check before installing/using:
- Metadata mismatch: the registry advertises no required env vars, but the script and SKILL.md require MIRO_ACCESS_TOKEN and MIRO_BOARD_ID. Treat this as a red flag: confirm the owner/publisher and request corrected metadata before granting credentials.
- Least privilege: create a Miro token scoped only to the specific board/actions if possible, and use a test board first. Do not reuse a broad admin token.
- Manual review & dry run: inspect miro-push.mjs yourself (you already have it). Run generate-only mode (produce the _out/miro-ready-*.json) and review the JSON before running node miro-push.mjs apply. Prefer manual apply until you trust the skill.
- Token handling: SKILL.md states never to print MIRO_ACCESS_TOKEN. Ensure logs and agent outputs do not echo environment variables. Rotate the token if you suspect it was exposed.
- Autonomous invocation: if you allow the agent to call skills autonomously, remember it can push changes to your board using the token. Consider disabling autonomous use or requiring explicit confirmation for push operations.
If you want higher confidence, request that the publisher update the registry metadata to list MIRO_ACCESS_TOKEN and MIRO_BOARD_ID as required env vars and provide an explicit description of scopes needed for the token.
功能分析
Type: OpenClaw Skill
Name: miro-workshop-assistant
Version: 1.0.0
The skill is classified as suspicious due to the direct command execution instruction in `SKILL.md` (`node ...\miro-push.mjs apply <PATH_JSON>`). While this is necessary for the skill's functionality, it represents a high-risk capability that could lead to Remote Code Execution (RCE) if the AI agent were to be compromised via prompt injection, allowing it to craft malicious arguments for the `node` command. The `miro-push.mjs` script itself appears to be well-behaved, interacting only with the Miro API and local files, and includes some input sanitization. However, the agent's ability to execute arbitrary local commands, even if intended for benign purposes, introduces a significant vulnerability risk.
能力评估
Purpose & Capability
Name/description (push workshop items to Miro) matches the included script and instructions. However the registry metadata lists no required env vars while both SKILL.md and miro-push.mjs require MIRO_ACCESS_TOKEN and MIRO_BOARD_ID — this mismatch is unexplained and reduces trust.
Instruction Scope
SKILL.md instructs generating JSON and running the bundled Node script to push/undo items on a Miro board. The runtime steps, file paths (_out/*.json, _out/.state.json) and environment usage are limited to the described domain and do not ask the agent to read unrelated system files or external endpoints outside api.miro.com.
Install Mechanism
This is instruction-only with a local Node script (no installer, no remote downloads). No risky install steps or external archives are present.
Credentials
The script legitimately needs a Miro access token and a board id (MIRO_ACCESS_TOKEN, MIRO_BOARD_ID). Those two are proportionate to the purpose, but the skill registry metadata does not declare them — the absence of declared required env vars is an incoherence that could lead to unexpected behavior or surprise when the agent is granted credentials.
Persistence & Privilege
The skill does not request always:true and is user-invocable. It writes its own state to _out/.state.json to implement idempotency/undo (expected). Be aware that the agent (if allowed autonomous invocation) can call the script and modify your Miro board using the provided token — this is normal for such a skill but increases blast radius if the token is overly privileged or the skill is misused.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install miro-workshop-assistant - 安装完成后,直接呼叫该 Skill 的名称或使用
/miro-workshop-assistant触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Workshop → Miro Agent (OpenClaw Skill)
Turn workshop whiteboard photos (or raw notes) into a clean, editable Miro diagram—with real containers (Frames), grouped stickies, and smart connectors—then push directly to Miro via API.
What it does
Photo/notes → structured diagram
Detects logical “areas” (e.g., Product A, Product B, Easy Vision, Milestone) and creates Miro Frames as true containers.
Places stickies inside the correct frame with a readable layout.
Clean relationships
Creates connectors where they make sense.
If the diagram is clearly “container → container” (e.g., Product A → Product B), it creates a frame-to-frame flow (not random sticky-to-sticky arrows).
Prevents messy arrows by avoiding cross-frame sticky connectors when a container-level flow is detected.
No duplicates (idempotent)
Uses a stable sessionKey + a runId.
Re-running the same session replaces the previous run automatically.
Undo / rollback
Automatic rollback if a run fails.
Manual undo per session with a single command.
Key technical improvements
Bulletproof frame creation
If the AI output misses frames, the script auto-generates frames using:
Title stickies (e.g., “Product A”, “Product B”), or
X-axis clustering (left/right grouping) as fallback.
Fixed Miro parent-boundary errors
Correctly converts coordinates when parenting stickies into frames (avoids “position is outside parent boundaries”).
Arrow-only sticky filtering
Removes “→ / ->” as stickies (arrows are connectors, not post-its).
How it pushes to Miro
Uses only environment variables (no cookies, no browser session hacks):
MIRO_ACCESS_TOKEN
MIRO_BOARD_ID
Executes a local script:
node miro-push.mjs apply <miro-ready.json>
node miro-push.mjs undo <sessionKey>
Output format
The agent produces a Miro-ready JSON containing:
frames[] (containers)
stickies[] (notes inside frames)
connectors[] (relationships)
meta.sessionKey + meta.runId for idempotent updates
Best for
Workshop facilitation
Architecture diagrams
Product mapping sessions
Brainstorms that need to become clean, editable boards fast
元数据
常见问题
Miro board 是什么?
Workshop photos/notes -> an editable Miro diagram (real FRAMES as containers + stickies + connectors) with idempotent dedupe, rollback, undo and change commands, using the local script miro-push.mjs and env vars. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 885 次。
如何安装 Miro board?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install miro-workshop-assistant」即可一键安装,无需额外配置。
Miro board 是免费的吗?
是的,Miro board 完全免费(开源免费),可自由下载、安装和使用。
Miro board 支持哪些平台?
Miro board 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Miro board?
由 Simone Ferrario(@simoneferrario)开发并维护,当前版本 v1.0.0。
推荐 Skills