Atoll Api
PassAudited by ClawScan on May 12, 2026.
Overview
The skill appears to be a legitimate Atoll API helper, but it requires an org-scoped API key and can make real changes to Atoll when directed.
This skill is suitable if you want an agent to work with Atoll. Before installing, create a dedicated least-privilege Atoll API key, confirm the org ID is correct, avoid giving unnecessary admin permissions, and review any requested writes, deletes, member changes, billing actions, automation rules, or webhooks. If you use the optional Atoll CLI, verify or pin the npm package version first.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a highly privileged Atoll key, the agent may be able to read or change organization data within that scope.
The skill requires a credential whose effective permissions depend on the Atoll account or integration used.
Agents and integrations use normal org-scoped API keys. Their permissions come from the Atoll member or integration that owns the key.
Use a least-privilege Atoll agent or integration key for the intended org, avoid owner/admin credentials unless necessary, and rotate the key if exposed.
The agent can create, update, or delete Atoll records when instructed and authorized by the provided key.
The API reference includes mutating and destructive operations, which are expected for a project-management API but can change user data.
POST | `/api/orgs/{id}/issues` | Create task ... PATCH | `/api/orgs/{id}/issues/{issueId}` | Update task ... DELETE | `/api/orgs/{id}/issues/{issueId}` | Delete taskReview high-impact changes before approving them, especially deletes, member changes, billing-related actions, automation rules, and webhooks.
Using the optional CLI means trusting the npm package and whatever version is current when installed or run.
The skill is instruction-only, but its optional CLI workflow depends on an external npm package that is not pinned in the artifact.
Install globally or use via npx: ```bash npm install -g @atollhq/cli # or: npx @atollhq/cli ... ```
If using the CLI, verify the package source and consider pinning a known-good version instead of installing or running the latest version automatically.
If configured to an untrusted endpoint, Atoll event data could be sent outside the organization.
The documented API can create webhooks that send Atoll events to an external HTTPS endpoint.
## Webhook Fields
```json
{
"url": "https://example.com/webhook",
"events": ["issue.created", "issue.updated"],
"enabled": true
}
```
URL must be HTTPS. Response includes `secret` for HMAC signature verification.Only create webhooks for trusted HTTPS endpoints, store webhook secrets carefully, and verify the event types before enabling them.