Back to plugin
Pluginv1.1.1
ClawScan security
Trello · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 7:39 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The plugin is internally consistent with a Trello integration: it only requests Trello API credentials, calls Trello's official API endpoints, and its instructions align with its code and manifest.
- Guidance
- This plugin appears to do exactly what it claims: operate on Trello via the official API. Before installing: (1) Provide only a Trello API key and a token with least privileges needed (avoid admin-level tokens). (2) Prefer storing secrets in your secure OpenClaw plugin config or constrained env vars and rotate tokens if compromised. (3) Note the small registry metadata mismatch (top-level requirements show no env vars while the manifest requires Trello credentials) — confirm your OpenClaw UI will prompt for credentials as documented. (4) If you require absolute assurance, review the included index.ts (which is present) and/or use the GitHub repo in package.json to confirm nothing else is added in future updates.
Review Dimensions
- Purpose & Capability
- okName, description, tools, manifest, SKILL.md, and index.ts all align: the code implements the listed Trello operations and the plugin expects Trello API key/token. Minor metadata mismatch: the registry top-level 'Requirements' block reported 'Required env vars: none' and 'Primary credential: none', but the plugin manifest (openclaw.plugin.json) and SKILL.md clearly declare TRELLO_API_KEY/TRELLO_TOKEN as provider credentials.
- Instruction Scope
- okSKILL.md instructs only how to install and configure credentials (openclaw.json or env vars) and describes the 13 tools. The runtime instructions and code operate solely against https://api.trello.com/1 and do not reference unrelated files, system paths, or third-party endpoints.
- Install Mechanism
- okNo install spec (instruction-only at registry level) and the package contains source files only. No downloads from arbitrary URLs or extract steps. The plugin is built as a normal OpenClaw extension (index.ts + package.json).
- Credentials
- noteThe plugin legitimately requires a Trello API key and token (declared in openclaw.plugin.json and SKILL.md) which is proportionate to its purpose. Note: registry summary at top incorrectly listed 'no required env vars'; ensure you provide only a scoped Trello token (least privilege).
- Persistence & Privilege
- okalways is false and disable-model-invocation is false (normal). The plugin stores credentials in the plugin config or uses env vars—expected behavior. It does not request system-wide privileges or modify other plugins' configs.