ClawAudit verdict
asana
asana-api
Reads local files AND makes external network calls
Asana task and project management API integration via Maton OAuth gateway proxying to app.asana.com for standard work management operations that match the stated purpose.
Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.
What it does
These are capability combinations: each listed behavior occurs in the skill, but ClawAudit detects co-occurrence — it does not verify that one flows into another. Read the code to confirm a live chain.
Reads local files AND makes external network calls — the capabilities for data exfiltration co-occur (data-flow not verified)
LLM02 · LLM06 · ASI03
Reads files, encodes data, AND makes external network calls — the obfuscated-exfiltration pattern (data-flow not verified)
LLM02 · ASI03
Accesses credentials AND makes external network calls — potential credential theft
LLM02 · ASI03
Accesses credentials AND encodes data — may obfuscate stolen credentials
LLM02 · ASI03 · ASI04
Permission integrity
network_out
file_read
package_install
Findings (6)
Possible hardcoded credential
SKILL.md · code · API_KEY="YOUR_API_KEY
Accesses process.env — reads environment variables
SKILL.md · code
Python urllib.request — network access
SKILL.md · code · urllib.request
Accesses sensitive environment variables
SKILL.md · code · process.env.MATON_API_KEY
fetch() — outbound network request
SKILL.md · code
Makes HTTP request to external URL
SKILL.md · code · fetch(
'https://
Permissions & capabilities
Requires 1 environment variable. (1 sensitive: MATON_API_KEY).
network_outfile_readcredential_accesspackage_installdata_encodingnetwork_in Thanks — recorded.