by 安全扫描
OpenClaw
安全
high confidenceThe skill appears to do what it claims (a dependency-free Node.js CLI that uses an Asana PAT) and its requirements and behavior are broadly coherent, with only minor documentation/declaration gaps to be aware of.
评估建议
This skill appears coherent and implements a standard Asana CLI that uses a Personal Access Token. Before installing: (1) ensure your agent environment provides Node.js 18+ (the manifest doesn’t declare the node binary requirement, but README/AGENTS.md do); (2) provide a dedicated Asana PAT (ASANA_PAT) and avoid reusing high-privilege tokens; (3) note the skill may create a local config at ~/.openclaw/skills/asana.json or the path set by ASANA_CONFIG_PATH — don't store secrets there if you don’t...详细分析 ▾
ℹ 用途与能力
Name/description match the code and README: the script calls the Asana REST API using a PAT and implements task/project workflows. Minor mismatch: the registry metadata lists no required binaries, but the CLI requires Node.js 18+ (documented in README/AGENTS.md). This is a documentation/manifest omission rather than functional misalignment.
✓ 指令范围
SKILL.md instructs the agent to run the included Node CLI and to provide an ASANA_PAT; it documents local config storage and sandbox behavior. The runtime instructions do not ask the agent to read unrelated system secrets or contact third-party endpoints outside Asana.
✓ 安装机制
There is no install spec (instruction-only published skill) and the repository includes a single dependency-free script. No downloads or external installers are used.
ℹ 凭证需求
Declared required env is ASANA_PAT (primary credential) which is appropriate. The code also checks/uses related env vars (ASANA_TOKEN as an alternative, ASANA_CONFIG_PATH, ASANA_DEFAULT_WORKSPACE) that are not listed in requires.env — this is a small transparency issue but each is reasonable for optional configuration.
✓ 持久化与权限
always:false and the skill writes a local config file under the user's home (~/.openclaw/skills/asana.json) for convenience. This is expected for a CLI that maintains defaults/context; it does not modify other skills or system-wide settings.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.02026/1/28
**Summary:** This release renames the skill to "asana", improves integration guidance for OpenClaw/Clawdbot, and streamlines configuration and usage documentation. - Skill renamed from "asana-pat" to "asana". - Updated environment variable guidance for OpenClaw/Clawdbot, including best practices for token injection and config management. - Refined and reorganized documentation for clearer setup, key workflows, and recommendations. - Improved CLI usage instructions, with concise command examples and task workflows. - Metadata fields updated; non-essential fields and legacy details removed.
● 无害
安装命令
点击复制官方npx clawhub@latest install asana-pat
镜像加速npx clawhub@latest install asana-pat --registry https://cn.longxiaskill.com