zentao
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to use the user's ZenTao account to view products, bugs, and bug details, and the login credentials may remain on the machine after setup.
The skill requires ZenTao account credentials and stores them locally for later CLI use; this is expected for the stated login/query purpose, but it is sensitive account access.
zentao login ... --zentao-account="leo" ... --zentao-password="***" ... This writes credentials to: ~/.config/zentao/config.toml
Use the least-privileged ZenTao account suitable for the task, verify the config file permissions, and remove or rotate stored credentials if the skill is no longer needed.
Installing the package adds a global command to the local environment, so trust in the npm package matters.
The skill instructs installation of a global npm package that supplies the zentao CLI. This is disclosed and central to the purpose, but it depends on external package provenance.
pnpm i -g @leeguoo/zentao-mcp
Install from the expected npm package page, consider pinning or reviewing the package version, and install in an environment appropriate for company issue-tracker access.