74
/ 100
25 days ago
glama

kanban-lite

MCP server for AI agents to manage a lightweight kanban board stored as markdown files, enabling task creation, updates, and column movements.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry β€” install directly from whichever one you prefer.

// key findings
🚨
Known vulnerabilities in dependencies: 1 critical, 3 high
Affects packages this MCP installs at runtime. Upgrade or remove the affected dependency.
πŸ”
You'll be asked for 6 credentials: ACTION_WEBHOOK_SECRET, KANBAN_API_TOKEN, KANBAN_LITE_TOKEN, KANBAN_TOKEN, OPENAI_API_KEY, RUNTIME_HOST_PLUGIN_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// known CVEs in dependencies1 critical3 high4 medium12 low

Disclosed vulnerabilities in this server's declared npm dependencies (via OSV). Whether each is reachable depends on the installed versions.

criticalvitest@4.0.18GHSA-5xrq-8626-4rwp

When Vitest UI server is listening, arbitrary file can be read and executed

highesbuild@0.19.0GHSA-gv7w-rqvm-qjhr

esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

highvite@5.0.0GHSA-c24v-8rfc-w8vw

Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

highvite@5.0.0GHSA-c27g-q93r-2cwf

launch-editor vulnerable to command injection via the crafted request on Windows

mediumvite@5.0.0GHSA-356w-63v5-8wf4

Vite has an `server.fs.deny` bypass with an invalid `request-target`

Depend on this server? Get alerted when its CVEs change.Watch this server free β†’
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
πŸ” secretACTION_WEBHOOK_SECRET
πŸ” secretKANBAN_API_TOKEN
configKANBAN_API_URL
configKANBAN_BOARD_ID
configKANBAN_DIRβ€” "": "/path/to/your/project/.kanban"
configKANBAN_E2E_BASE_URL
configKANBAN_E2E_SCENARIO
configKANBAN_FEATURES_DIR
πŸ” secretKANBAN_LITE_TOKENβ€” Authorization: Bearer <token> (when is set in the webhook runtime)
πŸ” secretKANBAN_TOKENβ€” CLI: use --token <value> for a one-off invocation, or the shared workspace token from KANBAN_LITE_TOKEN ( is still accepted as a compatibility alias).
configKANBAN_USE_MOCK
configNEXT_PUBLIC_CHAT_URL
configNEXT_PUBLIC_KANBAN_WEB_URL
πŸ” secretOPENAI_API_KEY
configOPENAI_MODEL
πŸ” secretRUNTIME_HOST_PLUGIN_TOKEN
configRUNTIME_HOST_SAMPLE
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance β€” verified publishers only
We have 6 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/borgius-kanban-lite-1dtadi)](https://m8ven.ai/mcp/borgius-kanban-lite-1dtadi)
commit: 6254ddde8b0d49e5915b859310602744ecad61b3
code hash: 5a4ae641af8af50a945047c1caa9aa9ce4f5e05a360491ec21a7e18504f3a251
verified: 6/14/2026, 10:25:15 AM
view raw JSON β†’
kanban-lite Β· M8ven Trust Score | M8ven