Back to skill

Security audit

Asana (PAT)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Asana integration that uses a user-provided Asana token for documented Asana task and project actions, with normal caution needed for write access, uploads, and stored configuration.

Install only if you trust this skill to act with the permissions of your Asana PAT. Prefer a dedicated, revocable token with the minimum Asana access you need, review agent-initiated write actions in shared workspaces, and only upload files you intend to share in Asana. If you use OpenClaw config for the PAT or event polling, remember that local config/state can persist until you remove it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly documents uploading a local file to Asana but does not warn that the file's contents will be transmitted off-host to a third-party service. In an agent setting, this can cause accidental exfiltration of sensitive local data if a user or upstream prompt references a path without understanding the privacy implications.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill states that `events --resource <gid>` stores a sync token locally, but does not disclose where it is stored, how long it persists, or that it writes state to disk. This can create unexpected local persistence, which matters in shared or ephemeral environments and may leak activity metadata or cause cross-run statefulness surprises.

Session Persistence

Medium
Category
Rogue Agent
Content
## Setup (PAT)

1. Create a PAT: Asana → Developer App / PAT settings (see Asana docs: Personal access token).
2. Provide it to the runtime as `ASANA_PAT`.

### Recommended: store the PAT in OpenClaw config (non-interactive)
Confidence
74% confidence
Finding
Create a PAT: Asana → Developer App / PAT settings (see Asana docs: Personal access token). 2. Provide it to the runtime as `ASANA_PAT`. ### Recommended: store the PAT in OpenClaw config (non-interac

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/asana.mjs:175