ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Asana

v0.2.0

Manage Asana tasks, projects, briefs, status updates, custom fields, dependencies, attachments, events, and timelines via Personal Access Token (PAT).

0· 1.7k·0 current·0 all-time
by@l-u-c-k-y
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description require a Personal Access Token and the skill declares ASANA_PAT as its primary env var. The included script(s) call Asana's API (app.asana.com) and implement task/project operations described in the docs — the requested credential and file accesses align with the stated functionality.
Instruction Scope
SKILL.md and README instruct the agent to use ASANA_PAT (or ASANA_TOKEN) and to call the CLI commands in scripts/asana.mjs. The CLI reads/writes a small local config (~/.openclaw/skills/asana.json) for convenience (defaults/contexts/event sync tokens). This is expected for workspace/context persistence, but users should be aware the skill will create/read that file in the home directory.
Install Mechanism
There is no install spec and the repository is instruction+script only (single dependency-free Node ESM script). No remote downloads, no package manager installs, and no unusual installers are present.
Credentials
Only ASANA_PAT (and optional ASANA_TOKEN alias) are required. That matches the described Asana PAT integration. No unrelated environment variables, cloud credentials, or secrets are requested.
Persistence & Privilege
always is false and disable-model-invocation is default. The skill writes only its own local config file(s) under the user's home (~/.openclaw/skills/asana.json and legacy paths). It does not request elevated system-wide privileges or modify other skills' configs.
Assessment
This skill appears coherent and implements only the Asana PAT-based functionality it claims. Before installing: 1) Treat the ASANA_PAT like any API secret — inject it at runtime via OpenClaw's config (skills.entries.asana.apiKey or env injection) rather than pasting it into prompts; 2) Prefer a PAT with the minimal scope you can (or rotate it frequently); 3) Be aware the skill will create/read a local per-user config at ~/.openclaw/skills/asana.json (check that file's contents and filesystem permissions if you want to ensure no secrets are stored there); 4) Review scripts/asana.mjs yourself if you need absolute assurance — network calls go to app.asana.com and behavior is JSON-only; and 5) If you run sandboxed agents, ensure the sandbox Docker env is configured as documented so the token is injected only for runs where you expect it.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ez4yjk4w1vf2xrjn61hgt580bnrs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvASANA_PAT
Primary envASANA_PAT

Comments