Asana
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Asana connector, but review it because it can change or delete Asana projects and tasks through a third-party Membrane OAuth connection without explicit approval limits.
Install only if you are comfortable granting Membrane-mediated access to Asana. Use a least-privileged Asana account when possible, review OAuth scopes, and require explicit confirmation before any create, update, or delete action—especially project deletion.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong action or parameters, the agent could modify or delete real Asana tasks or projects visible to the connected account.
The skill documents generic action execution and lists destructive Asana actions, but does not define confirmation, scope, or recovery requirements before deletes or other mutations.
| Delete Task | delete-task | Delete a task from Asana | ... | Delete Project | delete-project | Delete a project from Asana | ... membrane action run <actionId> --connectionId=CONNECTION_ID --input '{"key": "value"}' --jsonRequire explicit user confirmation before create, update, or delete actions; limit actions to the intended workspace/project; and prefer least-privileged Asana accounts or scopes.
The skill can access and act on Asana data according to the connected account's permissions.
The integration requires delegated account access and refreshed credentials, which is expected for Asana but gives the connector authority over data available to the authenticated user.
Membrane handles authentication and credentials refresh automatically ... The user completes authentication in the browser.
Review the OAuth authorization and scopes, connect only the needed Asana account/workspace, and revoke the Membrane/Asana connection when finished.
Future installs could receive a different CLI version than the one the skill author tested.
The skill relies on a globally installed npm CLI using the moving @latest tag; this is purpose-aligned but less reproducible than a pinned version.
npm install -g @membranehq/cli@latest
Prefer a pinned Membrane CLI version where possible and install only from the expected npm package source.
Asana task, project, user, and workspace data may be processed through Membrane as part of normal operation.
Asana actions and authentication are mediated by the Membrane service/CLI rather than only direct local code, so users should understand that third-party data and credential boundaries are involved.
This skill uses the Membrane CLI to interact with Asana. Membrane handles authentication and credentials refresh automatically
Review Membrane's privacy/security terms and ensure this intermediary is acceptable for the Asana workspace data being accessed.