← 返回 Skills 市场
Shortcut
作者
catwalksophie
· GitHub ↗
· v1.4.1
2142
总下载
1
收藏
1
当前安装
7
版本数
在 OpenClaw 中安装
/install shortcut
功能描述
Manage stories on Shortcut.com kanban boards. Use when creating, updating, or listing tasks/stories on Shortcut project management boards. Supports creating stories with descriptions and types (feature/bug/chore), updating story status, and listing active/completed stories. Includes full checklist task management and comment support.
安全使用建议
This skill's code matches its description (it talks to Shortcut's official API and manages stories, tasks, comments), but the package metadata omits important operational requirements. Before installing: 1) Verify you trust the skill author (owner ID provided) because the skill will use your Shortcut API token. 2) Expect to provide SHORTCUT_API_TOKEN (or create ~/.config/shortcut/api-token) — the skill does not declare this in metadata. 3) Ensure curl and jq are available on the agent host (scripts depend on them). 4) Inspect the scripts locally (they're plain bash) to confirm behavior; the scripts write ~/.config/shortcut/workflow-states and may advise adding a source to ~/.bashrc — do not blindly modify your shell rc files. 5) Prefer creating a token with the least privileges necessary and rotate/revoke it if you uninstall or stop using the skill. The omissions in metadata are likely sloppy packaging rather than malicious intent, but they are security-relevant and should be corrected before use.
功能分析
Type: OpenClaw Skill
Name: shortcut
Version: 1.4.1
The OpenClaw AgentSkills skill bundle for Shortcut.com is classified as benign. All scripts (`scripts/*.sh`) interact exclusively with the legitimate Shortcut API (`https://api.app.shortcut.com/api/v3`) for managing stories, tasks, and comments. API tokens are securely handled by reading from environment variables or a dedicated configuration file (`~/.config/shortcut/api-token`). The `shortcut-init-workflow.sh` script generates a configuration file (`~/.config/shortcut/workflow-states`) containing environment variable exports for workflow states, which is a standard and transparent configuration practice. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts in `SKILL.md` or `README.md` that would subvert the agent's intended behavior or access unrelated sensitive data. All operations are clearly aligned with the stated purpose of integrating with Shortcut.com.
能力评估
Purpose & Capability
The skill's name and description align with the included scripts: all scripts call Shortcut's API and implement create/list/update/delete for stories, tasks, and comments. However, the skill registry metadata declares no required environment variables or binaries even though the SKILL.md and scripts require a Shortcut API token (SHORTCUT_API_TOKEN or ~/.config/shortcut/api-token) and runtime tools (bash, curl, jq). That mismatch between claimed requirements and actual needs is unexpected and should be fixed or explained by the author.
Instruction Scope
SKILL.md and the scripts stay within the expected scope: they call the official Shortcut API (https://api.app.shortcut.com/api/v3), read/write SSH-local config files under ~/.config/shortcut, and do not attempt to read unrelated system data. The scripts create ~/.config/shortcut/workflow-states and use /tmp for transient responses; SKILL.md suggests optionally adding the token to ~/.bashrc (user-facing guidance). There are no hidden endpoints or broad data-collection steps in the scripts.
Install Mechanism
There is no install spec (instruction-only), which is low risk from supply-chain downloads. However, the skill includes many shell scripts bundled in the skill itself; installing the skill will place those scripts on disk. The scripts are plain bash and use curl/jq; the metadata should list these runtime dependencies but does not.
Credentials
Functionally the skill only needs a single Shortcut API token and workspace permissions (proportional to the stated purpose). But the registry metadata lists no required env vars while SKILL.md and every script require SHORTCUT_API_TOKEN or a token file. Additionally the manifest does not declare required binaries (curl, jq). This omission is a practical and security-relevant inconsistency: users may not realize they must supply a token and may be surprised that scripts access ~/.config/shortcut and ~/.bashrc (if they follow the optional guidance).
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It writes and reads its own configuration under ~/.config/shortcut and suggests optionally sourcing that file from ~/.bashrc — these are standard, limited local config actions. Autonomous invocation is allowed by default (normal for skills) but not combined with other high-risk behaviors here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shortcut - 安装完成后,直接呼叫该 Skill 的名称或使用
/shortcut触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.4.1
- Updated documentation in CHANGELOG.md, README.md, and SKILL.md.
- Removed the file clawhub-submission.md.
- Incremented version to 1.4.1.
- No changes to implementation or features; this is strictly a documentation and cleanup update.
v1.4.0
- Added script `shortcut-init-workflow.sh` to automatically detect and configure workspace-specific workflow state IDs.
- Updated documentation to guide users through initializing workflow state IDs and using the new configuration file.
- Modified `shortcut-update-story.sh` to use workspace-specific state IDs from the config file, with fallback to defaults.
- Improved guidance for users with different workspace workflows.
v1.3.0
- Added CHANGELOG.md and clawhub-submission.md files.
- Workflow state IDs for story updates are now specifically documented for the "coalface" workspace.
- Provided example command to retrieve workflow state IDs via the Shortcut API.
- Updated SKILL.md to clarify workflow state mapping and customization instructions.
v1.2.0
- API token configuration is now more flexible: supports both the SHORTCUT_API_TOKEN environment variable and a user-level file at ~/.config/shortcut/api-token.
- Scripts no longer require sudo: removed dependency on /root/secrets/shortcut-api-token.
- Updated documentation with new setup and configuration instructions.
- No changes to script usage or commands; only authentication and setup improved.
v1.1.0
Expanded shortcut skill with full checklist task and comment management.
- Added scripts for checklist tasks: create, update, edit, and delete tasks within stories.
- Added scripts for comment management: add, update, and delete story comments.
- Introduced a command to display full story details, including checklist and comments.
- Updated documentation to cover new checklist and comment features.
v1.0.1
Remove hardcoded workspace/team references, make documentation more generic for any Shortcut workspace
v1.0.0
Initial release: Manage Shortcut.com kanban boards via shell scripts.
- List active, completed, or all stories with flexible output (plain or JSON)
- Create new stories with specified descriptions and types (feature, bug, or chore)
- Update existing stories' state and description by story ID
- Requires pre-set Shortcut API token, workspace, and team
- All scripts require sudo to read API token securely
元数据
常见问题
Shortcut 是什么?
Manage stories on Shortcut.com kanban boards. Use when creating, updating, or listing tasks/stories on Shortcut project management boards. Supports creating stories with descriptions and types (feature/bug/chore), updating story status, and listing active/completed stories. Includes full checklist task management and comment support. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2142 次。
如何安装 Shortcut?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shortcut」即可一键安装,无需额外配置。
Shortcut 是免费的吗?
是的,Shortcut 完全免费(开源免费),可自由下载、安装和使用。
Shortcut 支持哪些平台?
Shortcut 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Shortcut?
由 catwalksophie(@catwalksophie)开发并维护,当前版本 v1.4.1。
推荐 Skills