ClawHub

test

v1.0.0

Manage Trello boards, lists, and cards via the Trello REST API.

0· 142·0 current·0 all-time
by@hjcloud·duplicate of @chaunceyliu/test1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Function (manage Trello via REST) matches the required env vars (TRELLO_API_KEY, TRELLO_TOKEN) and the documented curl calls. Minor inconsistencies: top-level registry metadata lists this skill as 'test' / slug 'testjeff' while SKILL.md and _meta.json identify it as 'trello'; _meta.json ownerId differs from the registry ownerId. These look like packaging/name mismatches, not functional mismatches.
Instruction Scope
SKILL.md explicitly instructs only to run curl against api.trello.com and to use jq to filter results. It only reads the declared environment variables (TRELLO_API_KEY, TRELLO_TOKEN) and does not reference other system paths or external endpoints.
Install Mechanism
No install spec; instruction-only skill (no files executed/written). This is the lowest-risk install model.
Credentials
Only two environment variables are required (TRELLO_API_KEY and TRELLO_TOKEN) which are appropriate for Trello API access. The SKILL.md warns that the key/token provide full access. No unrelated secrets are requested.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed by default (normal for skills) but there is no request for persistent agent-wide privileges or modifications to other skills.
Assessment
This skill appears to do what it says: run curl against Trello using your TRELLO_API_KEY and TRELLO_TOKEN. Before installing: (1) remember these credentials grant full Trello access—only provide tokens you trust the agent with and consider creating limited/expiring tokens where possible; (2) verify you have curl and jq available (SKILL.md uses curl but only jq is listed as a required binary); (3) the package metadata shows inconsistent names/owner IDs—if provenance matters to you, confirm the publisher/slug before trusting the skill; (4) if you do not want the agent to make API calls autonomously, disable autonomous invocation or avoid setting long-lived tokens. Revoke the token if you stop using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978r4jsy967bb51vf1rhwc9n5833afj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsjq
EnvTRELLO_API_KEY, TRELLO_TOKEN

Comments