Shortcut

The OpenClaw AgentSkills skill bundle for Shortcut.com is classified as benign. All scripts (`scripts/*.sh`) interact exclusively with the legitimate Shortcut API (`https://api.app.shortcut.com/api/v3`) for managing stories, tasks, and comments. API tokens are securely handled by reading from environment variables or a dedicated configuration file (`~/.config/shortcut/api-token`). The `shortcut-init-workflow.sh` script generates a configuration file (`~/.config/shortcut/workflow-states`) containing environment variable exports for workflow states, which is a standard and transparent configuration practice. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts in `SKILL.md` or `README.md` that would subvert the agent's intended behavior or access unrelated sensitive data. All operations are clearly aligned with the stated purpose of integrating with Shortcut.com.