ClawHub

Shortcut Epic and Story skill

v1.0.2

Access and manage Shortcut.com (formerly Clubhouse) project management. Use when the user asks to: list stories, view backlog, search issues, check epics, up...

0· 436·0 current·0 all-time
bySina Khelil@incognos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries (curl, jq), and the sole credential (SHORTCUT_API_TOKEN) match a REST-API-based Shortcut integration. No unrelated services, binaries, or config paths are requested.
Instruction Scope
SKILL.md contains concrete curl/jq commands limited to the Shortcut API (api.app.shortcut.com). It reads/writes a single credential file at ~/.openclaw/secrets/shortcut and builds JSON safely with jq. The only minor scope note: the skill recommends persisting the API token to disk (or optionally exporting for the session) — storing a full-access token on disk is a design choice with privacy implications but not an incoherence.
Install Mechanism
Instruction-only skill with no install spec and no downloads. This is the lowest-risk install model and is appropriate for a shell-script-based integration.
Credentials
Only the SHORTCUT_API_TOKEN credential is required, which is proportionate to the functionality. Important caveat: Shortcut API tokens are described as having full member-level access (no finer scopes), so the single required secret grants broad permissions within the Shortcut workspace — users should be aware of this.
Persistence & Privilege
The skill is not force-included (always:false) and does not request system-wide privileges or modify other skills. Its only persistence behavior is optional: saving the token to ~/.openclaw/secrets/shortcut, which affects only the user's home directory and is within expected behavior for credential caching.
Assessment
This skill appears to do what it says: it uses curl and jq to call Shortcut's REST API and needs your Shortcut API token. Before installing or using it: (1) Understand that Shortcut tokens described here are 'member-level' and grant broad access to your Shortcut account — only provide a token for an account you trust. (2) If you prefer not to persist the token on disk, follow the SKILL.md advice to export SHORTCUT_API_TOKEN for the session instead of saving to ~/.openclaw/secrets/shortcut. (3) If possible, issue a limited-purpose/throwaway token or rotate/delete the token after use. (4) Verify file permissions (chmod 600) if you do store the token. If you need stronger isolation or auditing, consider using a dedicated account or workspace with minimized privileges.

Like a lobster shell, security has layers — review code before you run it.

latestvk977m7h195ybryvr9etwe11cg581sye9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎯 Clawdis
Binscurl, jq
Primary envSHORTCUT_API_TOKEN

Comments