Asana mcp
PassAudited by ClawScan on May 7, 2026.
Overview
This is a coherent Asana integration, but it uses OAuth tokens and can update Asana workspace data, so users should install it only if they trust it with that account access.
This skill appears purpose-aligned for Asana automation. Before installing, make sure you are comfortable giving it OAuth-backed access to the connected Asana workspace, protect the local mcporter credential vault, and consider pinning the mcporter package version if you need stricter supply-chain control.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or change tasks, projects, assignments, comments, due dates, or completion status in the connected Asana workspace when the user asks it to.
The skill can modify Asana workspace data, but it discloses this and instructs the agent to confirm user intent before write actions.
Write operations (`create_task`, `update_task`, `add_task_to_project`, assignments, due dates, comments, project changes, and completion changes) modify Asana work visible to the connected workspace. Confirm clear user intent before invoking write tools
Install only for Asana accounts where this level of automation is acceptable, and review important write actions before allowing them.
Anyone with access to the stored credential vault may be able to use the connected Asana OAuth grant, depending on local file permissions and environment controls.
The script writes OAuth access and refresh tokens into mcporter's local credential vault so the tool can authenticate to Asana.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"},
clientInfo: {client_id: env.mcp_client_id}Protect the host account and `~/.mcporter/credentials.json`, and revoke or rotate the Asana OAuth grant if the machine or vault may be exposed.
Future installations may receive a newer mcporter version than the one the author tested.
The skill depends on an external npm package without pinning a version, which can change over time, though the artifact clearly discloses this.
The install spec uses unpinned `mcporter` (npm `latest`); operators with strict supply-chain controls should override the install to pin a specific version
Pin `mcporter` to a reviewed version in controlled environments.