Back to skill
Skillv1.0.2
ClawScan security
Shortcut Epic and Story skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 24, 2026, 5:08 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only Shortcut.com integration that only needs curl, jq, and a Shortcut API token — its requirements and runtime instructions are consistent with its stated purpose.
- Guidance
- This skill appears to do what it says: it uses curl and jq to call Shortcut's REST API and needs your Shortcut API token. Before installing or using it: (1) Understand that Shortcut tokens described here are 'member-level' and grant broad access to your Shortcut account — only provide a token for an account you trust. (2) If you prefer not to persist the token on disk, follow the SKILL.md advice to export SHORTCUT_API_TOKEN for the session instead of saving to ~/.openclaw/secrets/shortcut. (3) If possible, issue a limited-purpose/throwaway token or rotate/delete the token after use. (4) Verify file permissions (chmod 600) if you do store the token. If you need stronger isolation or auditing, consider using a dedicated account or workspace with minimized privileges.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, jq), and the sole credential (SHORTCUT_API_TOKEN) match a REST-API-based Shortcut integration. No unrelated services, binaries, or config paths are requested.
- Instruction Scope
- noteSKILL.md contains concrete curl/jq commands limited to the Shortcut API (api.app.shortcut.com). It reads/writes a single credential file at ~/.openclaw/secrets/shortcut and builds JSON safely with jq. The only minor scope note: the skill recommends persisting the API token to disk (or optionally exporting for the session) — storing a full-access token on disk is a design choice with privacy implications but not an incoherence.
- Install Mechanism
- okInstruction-only skill with no install spec and no downloads. This is the lowest-risk install model and is appropriate for a shell-script-based integration.
- Credentials
- noteOnly the SHORTCUT_API_TOKEN credential is required, which is proportionate to the functionality. Important caveat: Shortcut API tokens are described as having full member-level access (no finer scopes), so the single required secret grants broad permissions within the Shortcut workspace — users should be aware of this.
- Persistence & Privilege
- okThe skill is not force-included (always:false) and does not request system-wide privileges or modify other skills. Its only persistence behavior is optional: saving the token to ~/.openclaw/secrets/shortcut, which affects only the user's home directory and is within expected behavior for credential caching.