Shortcut
v1.4.1Manage stories on Shortcut.com kanban boards. Use when creating, updating, or listing tasks/stories on Shortcut project management boards. Supports creating stories with descriptions and types (feature/bug/chore), updating story status, and listing active/completed stories. Includes full checklist task management and comment support.
⭐ 1· 2.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description align with the included scripts: all scripts call Shortcut's API and implement create/list/update/delete for stories, tasks, and comments. However, the skill registry metadata declares no required environment variables or binaries even though the SKILL.md and scripts require a Shortcut API token (SHORTCUT_API_TOKEN or ~/.config/shortcut/api-token) and runtime tools (bash, curl, jq). That mismatch between claimed requirements and actual needs is unexpected and should be fixed or explained by the author.
Instruction Scope
SKILL.md and the scripts stay within the expected scope: they call the official Shortcut API (https://api.app.shortcut.com/api/v3), read/write SSH-local config files under ~/.config/shortcut, and do not attempt to read unrelated system data. The scripts create ~/.config/shortcut/workflow-states and use /tmp for transient responses; SKILL.md suggests optionally adding the token to ~/.bashrc (user-facing guidance). There are no hidden endpoints or broad data-collection steps in the scripts.
Install Mechanism
There is no install spec (instruction-only), which is low risk from supply-chain downloads. However, the skill includes many shell scripts bundled in the skill itself; installing the skill will place those scripts on disk. The scripts are plain bash and use curl/jq; the metadata should list these runtime dependencies but does not.
Credentials
Functionally the skill only needs a single Shortcut API token and workspace permissions (proportional to the stated purpose). But the registry metadata lists no required env vars while SKILL.md and every script require SHORTCUT_API_TOKEN or a token file. Additionally the manifest does not declare required binaries (curl, jq). This omission is a practical and security-relevant inconsistency: users may not realize they must supply a token and may be surprised that scripts access ~/.config/shortcut and ~/.bashrc (if they follow the optional guidance).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It writes and reads its own configuration under ~/.config/shortcut and suggests optionally sourcing that file from ~/.bashrc — these are standard, limited local config actions. Autonomous invocation is allowed by default (normal for skills) but not combined with other high-risk behaviors here.
What to consider before installing
This skill's code matches its description (it talks to Shortcut's official API and manages stories, tasks, comments), but the package metadata omits important operational requirements. Before installing: 1) Verify you trust the skill author (owner ID provided) because the skill will use your Shortcut API token. 2) Expect to provide SHORTCUT_API_TOKEN (or create ~/.config/shortcut/api-token) — the skill does not declare this in metadata. 3) Ensure curl and jq are available on the agent host (scripts depend on them). 4) Inspect the scripts locally (they're plain bash) to confirm behavior; the scripts write ~/.config/shortcut/workflow-states and may advise adding a source to ~/.bashrc — do not blindly modify your shell rc files. 5) Prefer creating a token with the least privileges necessary and rotate/revoke it if you uninstall or stop using the skill. The omissions in metadata are likely sloppy packaging rather than malicious intent, but they are security-relevant and should be corrected before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97187yn7v7ss6ms39jjxm6qtn80rmfa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.