zentao
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is consistent with its stated ZenTao CLI purpose, but users should notice that it installs a global npm CLI and stores ZenTao login credentials locally.
This appears safe for its stated purpose if you trust the npm package and intend the agent to access ZenTao. Before installing, confirm the package source, use a least-privileged ZenTao account, and remember that the login workflow stores credentials under the local ZenTao config directory.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to use the user's ZenTao account to view products, bugs, and bug details, and the login credentials may remain on the machine after setup.
The skill requires ZenTao account credentials and stores them locally for later CLI use; this is expected for the stated login/query purpose, but it is sensitive account access.
zentao login ... --zentao-account="leo" ... --zentao-password="***" ... This writes credentials to: ~/.config/zentao/config.toml
Use the least-privileged ZenTao account suitable for the task, verify the config file permissions, and remove or rotate stored credentials if the skill is no longer needed.
Installing the package adds a global command to the local environment, so trust in the npm package matters.
The skill instructs installation of a global npm package that supplies the zentao CLI. This is disclosed and central to the purpose, but it depends on external package provenance.
pnpm i -g @leeguoo/zentao-mcp
Install from the expected npm package page, consider pinning or reviewing the package version, and install in an environment appropriate for company issue-tracker access.