Maverick Trello Mcp
ReviewAudited by ClawScan on May 13, 2026.
Overview
This Trello skill is purpose-aligned and discloses credentialed read/write access, but users should confirm edits and be aware of unpinned helper dependencies and a local MCP server.
Install this only if you want the agent to access and update Trello on your behalf. Confirm any card/list/comment changes before they run, avoid sending unrelated sensitive information through the tools, and consider pinning dependencies if you require strict supply-chain control.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misinterprets a request, it could create, move, update, or comment on Trello cards in a shared workspace.
The skill can change shared Trello data, but the instruction explicitly calls this out and requires confirmation before writes.
Write operations that create, move, update, archive, delete, assign, comment on, or checklist-edit Trello cards modify shared board state. Confirm clear user intent before invoking write tools
Use the skill for Trello tasks only, review proposed changes, and require clear confirmation before any write operation.
The agent can access and act on Trello boards permitted by the supplied token.
The skill requires Trello credentials and uses them to act against the connected Trello account, which is expected for this integration.
The deployment harness provides a Trello access token and API key... the local server sends Trello API requests with the configured API key and request bearer token.
Use the least-privileged Trello token available, revoke it if no longer needed, and avoid installing this skill unless Trello account access is intended.
A future dependency version could behave differently from the version originally reviewed.
The artifact itself discloses an unpinned dependency, which is a supply-chain consideration even though it is purpose-aligned and not hidden.
The install spec uses unpinned `mcporter` (npm `latest`); operators with strict supply-chain controls should override the install to pin a specific version.
Pin mcporter and other runtime dependencies in controlled environments.
Trello-related content provided to the tools will be processed by the local MCP server and sent to Trello.
The MCP data path is clearly disclosed and uses loopback, but Trello task data and credentials still pass through a local MCP wrapper.
Tool calls travel from the agent to mcporter, then to this skill's local MCP server at `http://127.0.0.1:8764/mcp`. The local server forwards Trello API requests
Do not pass unrelated sensitive content through these tools, and keep the local machine environment trusted.
A local MCP server process may remain active during the skill's operation and should stay limited to loopback.
The wrapper starts the local MCP server as a detached process, which is expected for a local HTTP MCP bridge but is still background local behavior users should notice.
process = subprocess.Popen(... start_new_session=True, ...)
Ensure the server remains bound to 127.0.0.1/localhost and restart or stop stale local processes if behavior looks unexpected.