ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pipeworx clickup

v1.0.0

Access and manage ClickUp tasks, spaces, folders, and create new tasks using the ClickUp REST API v2 with your API key.

0· 67·0 current·0 all-time
byBruce Gutman@b-gutman

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for b-gutman/pipeworx-clickup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Pipeworx clickup" (b-gutman/pipeworx-clickup) from ClawHub.
Skill page: https://clawhub.ai/b-gutman/pipeworx-clickup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install pipeworx-clickup

ClawHub CLI

Package manager switcher

npx clawhub@latest install pipeworx-clickup
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description say this integrates with ClickUp using an API key, but the skill declares no required credentials or primaryEnv. A ClickUp integration normally requires an API key (or OAuth); the absence of declared credentials is inconsistent. The manifest also points to an external gateway (gateway.pipeworx.io) rather than calling api.clickup.com directly, which is not explained.
!
Instruction Scope
SKILL.md is very short and partly truncated; it lists operations but does not describe how or where the ClickUp API key is supplied or stored. The provided JSON points the agent to a third‑party MCP server; instructions do not state what data will be forwarded to that server, creating potential for unintended exfiltration of task content or credentials.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing will be written to disk during install. This lowers the technical install risk, but does not mitigate the concerns about external network calls described in the instructions.
!
Credentials
The skill declares no required environment variables yet its description explicitly says 'BYO API key.' The lack of a declared primary credential or env var for ClickUp API key is disproportionate and leaves unclear how credentials are handled (prompted interactively, sent to gateway, or stored).
Persistence & Privilege
Skill is not marked always:true and uses default autonomous invocation. It does not request persistent system-level privileges or config paths. However, autonomous invocation combined with the external gateway increases blast radius if the gateway or data handling is untrusted.
What to consider before installing
Don't install this until the vendor explains how the ClickUp API key is provided and stored, and who operates gateway.pipeworx.io. Ask whether the skill calls api.clickup.com directly or proxies requests through the Pipeworx gateway, whether task content or credentials are logged or stored by that gateway, and request a declared primary credential/env var in the manifest. Prefer a skill that documents its auth flow (OAuth or a named env var) and has a public homepage or repo and privacy/security documentation. If you must test, avoid using a high‑privilege ClickUp key and monitor network traffic to see where data is sent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c52ymaq6mvhabma5b5askps85d85d
67downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
Bruce Gutman@b-gutman
latest
Download

Clickup

ClickUp MCP — wraps the ClickUp REST API v2 (BYO API key)

clickup_list_tasks

List all tasks in a ClickUp list. Returns task ID, name, status, priority, assignees, due date, and

clickup_get_task

Fetch full task details including name, description, status, priority, assignees, tags, and time tra

clickup_create_task

Create a new task in a ClickUp list. Provide list ID, task name, and optionally priority and assigne

clickup_list_spaces

List all spaces in your ClickUp workspace. Returns space ID, name, and status.

clickup_list_folders

List all folders in a ClickUp space. Provide space ID (e.g., "789"). Returns folder ID, name, and li

{
  "mcpServers": {
    "clickup": {
      "url": "https://gateway.pipeworx.io/clickup/mcp"
    }
  }
}

Comments

Loading comments...