Tapd
Security checks across malware telemetry and agentic risk
Overview
This appears to be a normal TAPD API helper, but it can change TAPD project records and send Enterprise WeChat webhook messages when used.
This skill is reasonable to install if you want TAPD automation. Before using it, provide a scoped TAPD token, keep BOT_URL private, and ask the agent to confirm workspace IDs, item IDs, and content before any create/update or notification action.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is given unclear instructions, it could create or update project items, comments, Wiki pages, or timesheets in TAPD.
The skill is explicitly designed to create and update TAPD business records. This is purpose-aligned, but it can affect shared project data.
查询、创建、更新需求(stories)或任务(tasks)... 查询、创建、更新缺陷(bugs)... 查询、创建、更新 Wiki(tapd_wikis)... 查询、新建、更新工时(timesheets)
Use clear workspace IDs, item IDs, and desired changes; review create/update actions before allowing the agent to submit them.
A broadly formed request could reach TAPD API endpoints beyond the most common operations if the agent is instructed to do so.
The helper exposes a generic POST command where the endpoint and body can be chosen at runtime. It is confined to the configured TAPD base URL, but it is broader than individual safe wrappers.
p_post = sub.add_parser("post", help="通用 POST:--endpoint 路径,-b JSON 或 -p key=val")Prefer the documented task-specific operations, and only use generic GET/POST when the endpoint, payload, and intended effect are understood.
The skill acts with the TAPD permissions of the provided token or API account.
The script reads TAPD credentials from environment variables and sends them in Authorization headers, which is expected for TAPD API access.
token = os.environ.get("TAPD_ACCESS_TOKEN") ... "Authorization": f"Bearer {token}"Use the least-privileged TAPD credential that can perform the needed operations, and avoid sharing tokens in prompts or logs.
Information included in notifications may be posted to an Enterprise WeChat group or channel configured by the webhook.
The skill can send message content to an external Enterprise WeChat webhook URL. This is disclosed and purpose-aligned for notifications.
企业微信消息 | POST | BOT_URL(非 TAPD) | body: msgtype 为 markdown 或 markdown_v2,content 为消息内容
Treat BOT_URL as a secret and confirm that message content is appropriate for the target group before sending.