Shortcut Epic and Story skill
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Shortcut.com integration that openly uses a Shortcut API token to read and modify project-management items.
Install this only if you want the agent to read and edit Shortcut data on your behalf. Before using write or bulk-create workflows, review the proposed changes, and keep the Shortcut API token protected or use the session-only option.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can create or modify Shortcut stories, epics, comments, and dependency links when used with your token.
The skill documents Shortcut API write operations that can change workspace project data. This is purpose-aligned and disclosed, but users should notice the mutation authority.
Use when the user asks to: ... update story state, create stories or epics, add comments, wire story dependencies ... Read and write Shortcut.com stories, epics, and workflows via the REST API v3.
Use the skill only where agent-assisted Shortcut edits are acceptable, and require user review before bulk creation or important updates.
Anyone or any process that obtains the token could act with your Shortcut member permissions.
The skill uses a persistent local Shortcut API token with broad member-level account authority. This is clearly disclosed and expected for the integration.
Token is stored at `~/.openclaw/secrets/shortcut` ... Shortcut tokens have full member-level access — no scope restriction is available.
Protect the token file, rotate or delete the token when no longer needed, and consider using the session-only export option if you do not want the token persisted.