ClickUp
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clickup-api Version: 1.0.5 The skill provides a standard integration for the ClickUp API using a managed OAuth proxy service (maton.ai). The provided Python snippets in SKILL.md are transparent, using standard libraries to perform authenticated API requests, and the documentation explicitly includes security best practices such as requiring user approval for write operations.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent with this key may be able to access the connected ClickUp account through the Maton proxy.
The skill requires a sensitive Maton API key that represents delegated access to a connected ClickUp account.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Use the key only in trusted environments, keep it out of logs and shared chats, and revoke or rotate it if exposed.
If approved, the agent could create, update, delete, or configure ClickUp resources that affect team workflows.
The skill exposes broad ClickUp API actions, including write-capable and webhook-management operations, but it also instructs the agent to get approval before mutations.
Access tasks, lists, folders, spaces, workspaces, users, and manage webhooks ... All write operations require explicit user approval.
Before approving any write action, confirm the exact workspace, resource ID/name, and intended effect; be especially careful with deletes and webhook changes.
ClickUp request and response data may pass through Maton as part of the integration.
ClickUp API traffic and OAuth mediation go through the Maton gateway, which is expected for this skill but is still a third-party data path.
Maton proxies requests to `api.clickup.com` and automatically injects your OAuth token.
Install only if you trust Maton with the connected ClickUp data, and use the `Maton-Connection` header when multiple accounts exist to avoid sending requests to the wrong account.