Back to skill
Skillv1.9.1
ClawScan security
Dashtask.ai - Task/Project manager and CRM built for AI Agents and Humans to work together. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 4:58 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents a REST API integration that legitimately requires an API key and endpoint and the instructions/requirements match the described CRM/task-management purpose.
- Guidance
- This skill appears coherent with its stated purpose, but review these before installing: 1) Create a dedicated DashTask API key with the minimal scopes needed (tasks vs crm vs settings) rather than reuse a broad key. 2) Verify DASHTASK_ENDPOINT points to your organization's official endpoint (do not accept example/supabase endpoints unless you expect them). 3) Understand that the agent will cache get_org_context (team members, emails, tags, dimensions) for the session—ensure your agent’s memory handling meets your privacy requirements. 4) The skill can send emails and modify records; audit and monitor API-key usage and activity logs, and rotate keys regularly. 5) Source/origin is listed as unknown in the package metadata—if you require greater assurance, obtain the skill from a verified DashTask/OpenClaw publisher or inspect a signed release before enabling.
Review Dimensions
- Purpose & Capability
- okName/description, required environment variables (DASHTASK_API_KEY, DASHTASK_ENDPOINT), and the documented actions (tasks, CRM, settings, emails) align: an API key and endpoint are exactly what's needed for a REST-based DashTask integration.
- Instruction Scope
- noteSKILL.md is instruction-only and stays within the API's domain (POST to DASHTASK_ENDPOINT with X-API-Key). It requires caching get_org_context per-session (includes team members, emails, tags, etc.), which is necessary for operation but means the agent will store potentially sensitive org data in memory—confirm how the agent handles session memory and retention. The file also shows actions that can send emails and create/update/delete records, which is expected for CRM but worth confirming scope on the API key.
- Install Mechanism
- okNo install spec or code files are included (instruction-only), so nothing is downloaded or written to disk by the skill itself.
- Credentials
- okOnly two environment variables are required (API key and endpoint), both directly relevant. The manifest and SKILL.md consistently reference only these variables; the primary credential is the API key as expected.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated platform persistence. Autonomous invocation is allowed by default (normal); there is no evidence the skill modifies other skills or system-wide configuration.