ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Teambition

v1.0.0

连接和管理 Teambition(项目管理系统),通过 Teambition MCP 服务实现任务、项目、成员等数据查询和管理。当用户提到 Teambition、项目管理、任务管理等时使用此 skill。

1· 71·0 current·0 all-time
byRainco@jeandoom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a Teambition MCP connector and the SKILL.md describes appropriate API operations and config files. However the registry metadata declares a required binary 'npx' while the SKILL.md never references npx or any npx-based install/runtime. That mismatch is unexplained and unnecessary for the stated purpose.
!
Instruction Scope
Runtime instructions tell the agent to read and write files named {baseDir}/.teambition and {baseDir}/.teambition-token and to call tools like GetUsersMe. Reading/writing a config file is reasonable for this skill, but {baseDir} is not defined (could map to agent workspace, user home, or anywhere), creating ambiguity about what filesystem paths will be accessed. The instructions also show shell commands (cat/grep/echo) which would run on the host if the agent executes them — expected, but path ambiguity increases risk.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by an installer. That minimizes install-time risk.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. It does instruct persisting a 'token' file optionally; storing authentication tokens on disk is reasonable for a connector but the skill provides no guidance on secure storage, encryption, or required token scope — users should verify where the token will be written and how it's protected.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does intend to persist configuration and (optionally) an auth token to a config file in {baseDir}, which is normal for a connector, but again the target path is ambiguous.
What to consider before installing
Before installing, ask the skill author two questions: (1) Why does the registry metadata require 'npx'? The SKILL.md never uses it — remove the requirement or explain its purpose. (2) What exactly is {baseDir}? Confirm whether config and token files are stored only inside a confined agent workspace (or a specific user home subfolder) and not arbitrary system paths. If you proceed, verify where the .teambition and .teambition-token files will be written, review their contents, and ensure tokens are stored securely (avoid plaintext tokens in world-readable locations). Also confirm what GetUsersMe does and how authentication is performed (scopes, expiration). These fixes/clarifications would move the skill toward 'benign'.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wyxk4dyf7m8c857zgzx7dx83yfy3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
Binsnpx

Comments