Asana
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a real Asana integration, but its setup guidance can expose your Asana token and the skill can make broad changes in Asana.
Install only if you trust the publisher and are comfortable letting the agent manage Asana data. Avoid commands that print the stored apiKey, use a limited/revocable PAT, and require confirmation before task, comment, status-update, attachment, or project mutations.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can see the run output or logs may learn the Asana PAT and use it according to its Asana permissions.
The skill needs an Asana PAT, but the setup section tells the user or agent to retrieve the stored apiKey. If that command returns the value, the PAT can be exposed in terminal output, logs, or the agent transcript.
This is the safest way to set the PAT because it keeps secrets out of prompts and ad-hoc shell history. ... openclaw config get skills.entries.asana.apiKey
Do not run config-get commands that print the apiKey. Verify only that a secret is present through a masked mechanism, and rotate the PAT if it has been exposed.
If invoked incorrectly, the agent could modify tasks, project briefs, or status updates in your Asana workspace.
The documented command surface can create, update, complete, and publish Asana project information. This is purpose-aligned, but it can change team/business records.
`create-task` ... `update-task` ... `complete-task` ... `upsert-project-brief` ... `create-status-update`
Use least-privilege PATs where possible and require explicit user confirmation before write, publish, or bulk-change operations.
Future commands may use a previously saved workspace/project context or event token, which could cause actions in the wrong Asana context if not checked.
Persistent defaults, contexts, and sync tokens can affect later runs and may become stale or user-controlled if the config path/content is changed.
The CLI stores local-only convenience config (defaults, contexts, event sync tokens) in: Default: `~/.openclaw/skills/asana.json`; Override: `ASANA_CONFIG_PATH=/path/to/file.json`.
Review the saved Asana config periodically, keep it in a user-controlled path, and confirm workspace/project context before writes.
It may be harder to verify who authored the skill or compare it against an upstream release.
The package does not provide a clear upstream source repository in the supplied metadata. The install path is otherwise simple and dependency-free, so this is a provenance note rather than a direct malicious indicator.
Source: unknown
Review the included script before enabling the PAT and prefer a trusted publisher or verifiable source link.