Trello
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a straightforward Trello API helper, but it uses Trello credentials that can access your account and includes commands that can change or archive cards.
Use this skill only if you are comfortable giving Clawdbot Trello API access. Keep the API key and token secret, prefer the narrowest Trello token permissions available, confirm IDs before any write action, and revoke the token if you stop using the skill.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process with these environment variables could act through the user's Trello account within the token's permissions.
The skill requires Trello credentials and explicitly states that the token can access the user's account. This is expected for the integration, but it is high-privilege access.
The API key and token provide full access to your Trello account - keep them secret!
Use a Trello token only for users who need this access, store it securely, avoid exposing environment variables in logs or shared shells, and revoke the token when no longer needed.
If used on the wrong card, board, or list, the skill could create, move, comment on, or archive Trello cards unintentionally.
The skill documents direct Trello API write operations, including archiving a card. These operations are aligned with the stated management purpose, but they can change Trello data.
### Archive a card
curl -s -X PUT "https://api.trello.com/1/cards/{cardId}?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \
-d "closed=true"Review board/list/card IDs before running write operations and require clear user intent before creating, moving, commenting on, or archiving cards.