Safety Report

Asana (PAT)

Name: Asana (PAT)
Rating: 5 (2 reviews)
Author: L-U-C-K-Y

Manage Asana tasks, projects, briefs, status updates, custom fields, dependencies, attachments, events, and timelines via Personal Access Token (PAT).

1,733Downloads

4Installs

2Stars

2Versions

API Integration4,971 Project Management1,537 Calendar & Scheduling1,462 DevOps & Infrastructure1,045

Security Analysis

high confidence

Clean0.08 risk

The skill appears to do what it claims (a dependency-free Node.js CLI that uses an Asana PAT) and its requirements and behavior are broadly coherent, with only minor documentation/declaration gaps to be aware of.

Feb 11, 20265 files2 concerns

Purpose & Capabilitynote

Name/description match the code and README: the script calls the Asana REST API using a PAT and implements task/project workflows. Minor mismatch: the registry metadata lists no required binaries, but the CLI requires Node.js 18+ (documented in README/AGENTS.md). This is a documentation/manifest omission rather than functional misalignment.

Instruction Scopeok

SKILL.md instructs the agent to run the included Node CLI and to provide an ASANA_PAT; it documents local config storage and sandbox behavior. The runtime instructions do not ask the agent to read unrelated system secrets or contact third-party endpoints outside Asana.

Install Mechanismok

There is no install spec (instruction-only published skill) and the repository includes a single dependency-free script. No downloads or external installers are used.

Credentialsnote

Declared required env is ASANA_PAT (primary credential) which is appropriate. The code also checks/uses related env vars (ASANA_TOKEN as an alternative, ASANA_CONFIG_PATH, ASANA_DEFAULT_WORKSPACE) that are not listed in requires.env — this is a small transparency issue but each is reasonable for optional configuration.

Persistence & Privilegeok

always:false and the skill writes a local config file under the user's home (~/.openclaw/skills/asana.json) for convenience. This is expected for a CLI that maintains defaults/context; it does not modify other skills or system-wide settings.

Guidance

This skill appears coherent and implements a standard Asana CLI that uses a Personal Access Token. Before installing: (1) ensure your agent environment provides Node.js 18+ (the manifest doesn’t declare the node binary requirement, but README/AGENTS.md do); (2) provide a dedicated Asana PAT (ASANA_PAT) and avoid reusing high-privilege tokens; (3) note the skill may create a local config at ~/.openclaw/skills/asana.json or the path set by ASANA_CONFIG_PATH — don't store secrets there if you don’t want them persisted; (4) the code also accepts ASANA_TOKEN, ASANA_DEFAULT_WORKSPACE, and ASANA_CONFIG_PATH as optional env vars (these are not listed in the registry metadata), so be mindful if you expose additional env values to the agent; and (5) if you need stronger isolation, run the skill in a sandboxed agent and/or use a short-lived PAT that you can revoke.

Latest Release

v0.2.0

**Summary:** This release renames the skill to "asana", improves integration guidance for OpenClaw/Clawdbot, and streamlines configuration and usage documentation. - Skill renamed from "asana-pat" to "asana". - Updated environment variable guidance for OpenClaw/Clawdbot, including best practices for token injection and config management. - Refined and reorganized documentation for clearer setup, key workflows, and recommendations. - Improved CLI usage instructions, with concise command examples and task workflows. - Metadata fields updated; non-essential fields and legacy details removed.

Popular Skills

My Life Feed

@l-fy · 15 stars

Play Chess

@l-mendez · 2 stars

Lobster Radio – Free Local AI Radio

@Jayden-X-L · 1 stars

my-crypto-signal-skill

@k2-l · 0 stars

codeql-skill

@k2-l · 0 stars

dungeons-and-lobsters

@D-L-Leapyear · 0 stars

Published by @L-U-C-K-Y on ClawHub