Teambition
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Teambition skill is purpose-aligned, but it gives the agent broad ability to change or delete project data and store an account token without clear confirmation or credential-handling limits.
Install only if you trust the Teambition MCP server you will configure. Before letting the agent make changes, require it to confirm destructive, membership, permission, archive, or bulk updates. Store any Teambition token securely, limit its permissions if possible, and remove it when no longer needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or ambiguous request could lead the agent to delete tasks, remove members, archive data, or change project settings without an explicit final approval.
The skill exposes destructive and administrative Teambition operations and instructs direct tool use when one tool seems applicable, without a separate confirmation step for high-impact changes.
`DeleteTaskV3` | 删除任务 ... `DeleteProjectMemberV3` | 删除项目成员 ... 如果只有一个明确适用的工具 → 直接使用
Require explicit user confirmation for create/update/delete/archive/member/permission changes, showing the exact target, action, and expected effect before execution.
A Teambition token stored in a local file could allow account-level actions if exposed or reused beyond the user's intended operation.
The skill introduces local storage of a user authentication token but does not define token scope, file permissions, rotation, redaction, or when it will be read and used.
`{baseDir}/.teambition-token` | 存储用户认证 token(可选,用于需要登录的操作)Use a managed secret store or clearly document secure file permissions, token scope, redaction rules, and user approval requirements before using the token.
If the configured MCP server is not the legitimate Teambition service, project data or credentials could be sent to the wrong endpoint.
The skill relies on a user-provided MCP server URL. This is expected for an MCP integration, but the artifacts do not specify validation of the server identity or trust boundary.
`mcp_server=https://your-mcp-server-url.com` ... 请提供你的 Teambition MCP Server 地址
Only configure an official or trusted Teambition MCP server URL, preferably obtained from the referenced Teambition MCP configuration page.
Users cannot verify from these artifacts exactly what MCP server/tool implementation will process their Teambition data.
The artifacts do not include code, an install spec, or a verifiable source for the MCP tooling, limiting review of the actual implementation.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Use only a trusted MCP server and prefer skills that document the implementation source, install process, and credential boundaries.