Asana

v1.0.0

Integrate Asana with Clawdbot via the Asana REST API. Use when you need to list/search/create/update Asana tasks/projects/workspaces, or to set up Asana OAuth (authorization code grant) for a personal local-only integration (OOB/manual code paste).

⭐ 2· 4.1k·21 current·21 all-time

byThe Ton Le@k0nkupa

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the code and instructions: the scripts implement OAuth (OOB/manual code paste), token refresh, and common Asana API actions. Required capabilities (client id/secret, tokens) are appropriate for an OAuth-based Asana integration.

✓

Instruction Scope

SKILL.md instructs only local actions (generating authorize URL, exchanging code, reading/writing token and config files under ~/.clawdbot/asana, and calling Asana API). The runtime instructions and scripts only reference Asana endpoints and local paths needed for this functionality; they do not ask the agent to read unrelated system files or exfiltrate data to non-Asana hosts.

✓

Install Mechanism

No install spec; this is effectively instruction+helper scripts that run locally. No downloads or external install URLs are present, so no elevated install risk.

ℹ

Credentials

The skill legitimately needs Asana credentials (client_id/client_secret) and user OAuth tokens. Those are only used for Asana API/token refresh. Minor inconsistency: registry metadata lists no required env vars, but the scripts optionally read ASANA_CLIENT_ID and ASANA_CLIENT_SECRET (or fall back to a credentials file). This is not malicious but worth noting: you must provide Asana credentials either via env vars or the local credentials file for full functionality.

✓

Persistence & Privilege

The skill stores credentials/tokens/config under the user's home directory (~/.clawdbot/asana). It does not request permanent system-wide privileges, does not set always:true, and does not modify other skills' configuration. Writing to a dedicated per-skill directory is scoped and expected.

Assessment

This skill appears to be what it claims: a local-only Asana integration. Before installing, consider the following: (1) It requires Asana OAuth credentials (client ID and secret) and will store tokens and config at ~/.clawdbot/asana — keep those files private and ensure correct filesystem permissions. (2) You can provide credentials via environment variables or by running the configure script which writes credentials.json; the registry metadata didn't declare these env vars but the scripts accept them — supply them intentionally. (3) The scripts only contact Asana endpoints (oauth and API); there are no hidden or third-party endpoints in the source. (4) Review the code if you have doubts (it's small and readable) and run it in a trusted environment; Node 22+ is required. (5) If you plan multi-user or public deployment, replace the OOB flow with a proper redirect/callback and follow Asana distribution/scopes guidance. If any of these points are unacceptable (e.g., you don't want credentials written to disk), do not install or run the scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fxg5ahaszad0ha421svdwch7zz4x2

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Asana

License

Comments