← 返回 Skills 市场
Shortcut Epic and Story skill
作者
Sina Khelil
· GitHub ↗
· v1.0.2
501
总下载
1
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install shortcut-skill
功能描述
Access and manage Shortcut.com (formerly Clubhouse) project management. Use when the user asks to: list stories, view backlog, search issues, check epics, up...
安全使用建议
This skill appears to do what it says: it uses curl and jq to call Shortcut's REST API and needs your Shortcut API token. Before installing or using it: (1) Understand that Shortcut tokens described here are 'member-level' and grant broad access to your Shortcut account — only provide a token for an account you trust. (2) If you prefer not to persist the token on disk, follow the SKILL.md advice to export SHORTCUT_API_TOKEN for the session instead of saving to ~/.openclaw/secrets/shortcut. (3) If possible, issue a limited-purpose/throwaway token or rotate/delete the token after use. (4) Verify file permissions (chmod 600) if you do store the token. If you need stronger isolation or auditing, consider using a dedicated account or workspace with minimized privileges.
功能分析
Type: OpenClaw Skill
Name: shortcut-skill
Version: 1.0.2
The skill bundle is benign. It provides instructions and code examples for an AI agent to interact with the Shortcut.com API using `curl` and `jq`. All API calls are directed to `api.app.shortcut.com` and use the `SHORTCUT_API_TOKEN` stored in the designated OpenClaw secrets location. The `SKILL.md` explicitly warns against shell injection and demonstrates safe JSON construction using `jq -n --arg`, indicating a focus on secure practices. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts designed to subvert the agent's purpose.
能力评估
Purpose & Capability
Name/description, required binaries (curl, jq), and the sole credential (SHORTCUT_API_TOKEN) match a REST-API-based Shortcut integration. No unrelated services, binaries, or config paths are requested.
Instruction Scope
SKILL.md contains concrete curl/jq commands limited to the Shortcut API (api.app.shortcut.com). It reads/writes a single credential file at ~/.openclaw/secrets/shortcut and builds JSON safely with jq. The only minor scope note: the skill recommends persisting the API token to disk (or optionally exporting for the session) — storing a full-access token on disk is a design choice with privacy implications but not an incoherence.
Install Mechanism
Instruction-only skill with no install spec and no downloads. This is the lowest-risk install model and is appropriate for a shell-script-based integration.
Credentials
Only the SHORTCUT_API_TOKEN credential is required, which is proportionate to the functionality. Important caveat: Shortcut API tokens are described as having full member-level access (no finer scopes), so the single required secret grants broad permissions within the Shortcut workspace — users should be aware of this.
Persistence & Privilege
The skill is not force-included (always:false) and does not request system-wide privileges or modify other skills. Its only persistence behavior is optional: saving the token to ~/.openclaw/secrets/shortcut, which affects only the user's home directory and is within expected behavior for credential caching.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install shortcut-skill - 安装完成后,直接呼叫该 Skill 的名称或使用
/shortcut-skill触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
**Major update: Adds mandatory safe JSON construction using jq for all API requests.**
- All commands for creating or updating data now require using jq (`jq -n --arg/--argjson`) to build JSON, preventing shell injection and quoting errors.
- Added a prominent section explaining and enforcing the safe JSON construction rule.
- Updated all write and some read examples to demonstrate proper, secure variable handling with jq.
- Improved comments and code samples for clarity and best security practices.
- No functional API/interface changes; all updates reinforce secure scripting usage.
v1.0.1
- Added metadata fields for homepage URL, required secrets, and primary API token environment variable.
- Included a credential note specifying where and how to generate/store the Shortcut API token.
- Clarified auth setup instructions, including alternative for session-only tokens.
- No changes to CLI usage or Shortcut API instructions.
v1.0.0
Major update: streamlined for direct API usage, concise setup, and richer Shortcut.com project management support.
- Replaced previous scripts and documentation with a clear, command-focused API skill file.
- Now documents shortcut usage for listing stories, handling epics, updating state, comments, and dependencies via direct API calls.
- Token setup is simplified and relocated for modern Openclaw directory structure.
- Includes curated bash+curl+jq examples for common Shortcut.com actions.
- Removed all shell scripts; operations are now described as API calls for flexible integration.
- Provides updated usage notes, output formats, and helpful tips for seamless Shortcut management.
元数据
常见问题
Shortcut Epic and Story skill 是什么?
Access and manage Shortcut.com (formerly Clubhouse) project management. Use when the user asks to: list stories, view backlog, search issues, check epics, up... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 501 次。
如何安装 Shortcut Epic and Story skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install shortcut-skill」即可一键安装,无需额外配置。
Shortcut Epic and Story skill 是免费的吗?
是的,Shortcut Epic and Story skill 完全免费(开源免费),可自由下载、安装和使用。
Shortcut Epic and Story skill 支持哪些平台?
Shortcut Epic and Story skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Shortcut Epic and Story skill?
由 Sina Khelil(@incognos)开发并维护,当前版本 v1.0.2。
推荐 Skills