trello

https://raw.githubusercontent.com/openclaw/openclaw/main/skills/trello/SKILL.md

github.com/openclaw/openclaw

Scanned Thu, 28 May 2026 17:07:52 GMT

Scan ID crawl-uqmorhpph1s06trdnc8swdqe · 1ms

SCORE 0 / 100

Verdict: Do not install

10 critical findings.

This skill leaks data via URL parameters ($TRELLO_API_KEY) plus 10 other issues listed below.

10 critical0 high1 medium1 rules passed

Why grade F?

score · 0 / 100

The current grade reflects 10 critical findings (any 2+ CRITs → F).

10 CRIT0 HIGH1 MED0 LOW

To reach a higher grade

D
Reach Dtarget score 30
Resolve 9 of your 10 CRIT findings — any single CRIT still keeps you at D.
C
Reach Ctarget score 55
Resolve all 10 CRIT findings.
B
Reach Btarget score 75
Resolve all 10 CRIT.
A
Reach Atarget score 95
Resolve all 10 CRIT.

Thresholds are documented at /docs/grading. Source-of-truth is the grade() function in @skillox/scanner.

Findings · ordered by severity

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 46CWE-200

▾

45```bash

46curl -s "https://api.trello.com/1/members/me/boards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, id}'← URL interpolates a credential into the query string

47```

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 52CWE-200

▾

51```bash

52curl -s "https://api.trello.com/1/boards/{boardId}/lists?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, id}'← URL interpolates a credential into the query string

53```

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 58CWE-200

▾

57```bash

58curl -s "https://api.trello.com/1/lists/{listId}/cards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, id, desc}'← URL interpolates a credential into the query string

59```

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 64CWE-200

▾

63```bash

64curl -s -X POST "https://api.trello.com/1/cards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \← URL interpolates a credential into the query string

65 -d "idList={listId}" \

66 -d "name=Card Title" \

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 73CWE-200

▾

72```bash

73curl -s -X PUT "https://api.trello.com/1/cards/{cardId}?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \← URL interpolates a credential into the query string

74 -d "idList={newListId}"

75```

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 80CWE-200

▾

79```bash

80curl -s -X POST "https://api.trello.com/1/cards/{cardId}/actions/comments?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \← URL interpolates a credential into the query string

81 -d "text=Your comment here"

82```

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 87CWE-200

▾

86```bash

87curl -s -X PUT "https://api.trello.com/1/cards/{cardId}?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" \← URL interpolates a credential into the query string

88 -d "closed=true"

89```

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 101CWE-200

▾

99```bash

100# Get all boards

101curl -s "https://api.trello.com/1/members/me/boards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN&fields=name,id" | jq← URL interpolates a credential into the query string

102

103# Find a specific board by name

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 104CWE-200

▾

102

103# Find a specific board by name

104curl -s "https://api.trello.com/1/members/me/boards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | select(.name | contains("Work"))'← URL interpolates a credential into the query string

105

106# Get all cards on a board

crit

URL embeds a credential variable

The skill builds a URL that interpolates a secret into the query string. If the agent makes this request, the credential leaves the trust boundary.

rule: url-exfiltrationline: 107CWE-200

▾

105

106# Get all cards on a board

107curl -s "https://api.trello.com/1/boards/{boardId}/cards?key=$TRELLO_API_KEY&token=$TRELLO_TOKEN" | jq '.[] | {name, list: .idList}'← URL interpolates a credential into the query string

108```

109

med

No capability manifest declared

The skill ships without a `manifest.yaml` or `capabilities` block in its frontmatter. Without a manifest, the runtime cannot enforce what this skill is permitted to do.

rule: no-manifest

▾

Scan another →Share

skillox.io/r/crawl-uqmorhpph1s06trdnc8swdqe