ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Asana

v1.0.2

Manage Asana via the Asana REST API. Use when you need to list workspaces, projects, tasks, search tasks, comment, update, complete, or create tasks.

2· 4.2k·22 current·22 all-time
byThe Ton Le@k0nkupa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Asana API management) match the actual behaviour: a Node-based CLI that lists projects/tasks, creates/comments/updates tasks, and supports PAT or OAuth. The only required binary is node and the declared primary credential is ASANA_PAT — both are appropriate and proportional.
Instruction Scope
SKILL.md and scripts confine operations to Asana API calls and local config files (~/.openclaw/asana/*). Commands and setup steps are explicit (configure.mjs, oauth_oob.mjs, asana_api.mjs). There are no instructions to read unrelated system files, exfiltrate arbitrary data, or call unexpected endpoints.
Install Mechanism
This is an instruction-only skill with included Node scripts; there is no remote installer or archive download. No unusual install mechanism is used and nothing is written outside the declared local config paths.
Credentials
The primary credential is ASANA_PAT (appropriate). Optional support for ASANA_CLIENT_ID and ASANA_CLIENT_SECRET for OAuth is documented and justified. The skill does not request unrelated secrets or environment variables.
Persistence & Privilege
always:false (normal). The skill persists only its own local state under ~/.openclaw/asana (config.json, token.json). It does not modify other skills or system-wide settings.
Assessment
This skill appears coherent and implements a typical PAT-first Asana CLI. Before installing: only provide an Asana PAT or OAuth client creds if you trust the skill's source; prefer a PAT with limited scopes or an account you can revoke. Ensure ~/.openclaw/asana/ files are stored with appropriate filesystem permissions. If you need stronger isolation, use OAuth with an app/client you control and revoke tokens if the skill is removed. Finally, verify you trust the published owner (owner ID/slug) since the agent will be able to call the Asana API using the provided token.
scripts/asana_api.mjs:70
Environment variable access combined with network send.
scripts/oauth_oob.mjs:84
Environment variable access combined with network send.
!
scripts/asana_api.mjs:41
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970kfrw5zpmj83v85d0f0xdzd84abj1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
Primary envASANA_PAT

Comments