Asana mcp
PassAudited by VirusTotal on May 7, 2026.
Overview
Type: OpenClaw Skill Name: maverick-asana-mcp-2 Version: 1.0.1 The skill is a well-structured implementation for managing Asana via the Model Context Protocol (MCP). It uses a bash wrapper (invoke.sh) and an initialization script (init-mcporter.sh) to securely manage OAuth tokens in the mcporter vault, employing best practices like file locking and passing secrets to jq via environment variables to prevent exposure in process lists. The logic is consistent with the stated purpose of interacting with Asana's official MCP endpoint (https://mcp.asana.com/v2/mcp), and no malicious intent or significant vulnerabilities were identified.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create or change tasks, projects, assignments, comments, due dates, or completion status in the connected Asana workspace when the user asks it to.
The skill can modify Asana workspace data, but it discloses this and instructs the agent to confirm user intent before write actions.
Write operations (`create_task`, `update_task`, `add_task_to_project`, assignments, due dates, comments, project changes, and completion changes) modify Asana work visible to the connected workspace. Confirm clear user intent before invoking write tools
Install only for Asana accounts where this level of automation is acceptable, and review important write actions before allowing them.
Anyone with access to the stored credential vault may be able to use the connected Asana OAuth grant, depending on local file permissions and environment controls.
The script writes OAuth access and refresh tokens into mcporter's local credential vault so the tool can authenticate to Asana.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"},
clientInfo: {client_id: env.mcp_client_id}Protect the host account and `~/.mcporter/credentials.json`, and revoke or rotate the Asana OAuth grant if the machine or vault may be exposed.
Future installations may receive a newer mcporter version than the one the author tested.
The skill depends on an external npm package without pinning a version, which can change over time, though the artifact clearly discloses this.
The install spec uses unpinned `mcporter` (npm `latest`); operators with strict supply-chain controls should override the install to pin a specific version
Pin `mcporter` to a reviewed version in controlled environments.