Asana
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Asana integration, but it uses Asana credentials and can change tasks, so users should restrict tokens and confirm write actions.
Install only if you are comfortable giving the skill Asana account access. Use the narrowest practical PAT or OAuth scope, keep stored tokens private, and confirm before allowing the agent to create, update, complete, or comment on tasks.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with a valid token, the skill can create tasks, change task names, complete tasks, and add comments in Asana, which may affect team workflows.
These documented commands can modify Asana workspace data. That is aligned with the skill description, but users should recognize the write authority before enabling agent use.
node scripts/asana_api.mjs update-task <task_gid> --name "New name" node scripts/asana_api.mjs complete-task <task_gid> node scripts/asana_api.mjs comment <task_gid> --text "Done" node scripts/asana_api.mjs create-task --workspace <gid> --name "New task"
Use the skill for write actions only after clear user intent, and prefer tokens or OAuth scopes limited to the workspace and operations needed.
Anyone or any process that can access the configured PAT or token could use it to access Asana with the granted permissions.
The skill uses Asana account credentials and can persist them locally. This is expected for the integration, but the credentials grant access according to the user's Asana permissions.
Priority order:
1. `--token` or `ASANA_PAT`
2. `~/.openclaw/asana/config.json` with `{ "pat": "..." }`
3. OAuth token at `~/.openclaw/asana/token.json`Protect the local ~/.openclaw/asana files, avoid over-scoped PATs, rotate tokens if exposed, and clear stored credentials when no longer needed.