Exponential
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill requires trusting the external exponential-cli package and its npm supply chain.
The skill relies on installing a global npm package that is not included in the provided artifacts; this is a disclosed setup step and central to the skill's purpose.
npm install -g exponential-cli
Install the CLI only from the expected official source, consider pinning a known version, and keep it updated intentionally.
Anyone or anything using that authenticated CLI can act within the token’s permissions, including viewing and changing task data.
The CLI authenticates with a JWT token for the Exponential service; this is expected for the integration, but it gives the CLI account-level authority for the user’s Exponential data.
exponential auth login --token <JWT> --api-url https://www.exponential.im
Use only an intended Exponential account or scoped token if available, avoid exposing the JWT in shared logs or chats, and revoke the token when no longer needed.
Incorrect task IDs, due dates, priorities, or statuses could change the wrong work items.
The skill documents commands that create and update Exponential actions; this mutation authority is purpose-aligned but can change user or workspace task records.
exponential actions create -n "Task name" ... exponential actions update --id <actionId> ...
For create or update requests, have the agent summarize the intended change before running it, especially in shared workspaces.