zentao
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zentao Version: 1.0.1 The skill bundle is benign. It provides instructions for installing and using the `zentao` CLI tool to interact with ZenTao, including login and querying products/bugs. All commands and descriptions are aligned with the stated purpose, and there is no evidence of prompt injection, data exfiltration, malicious execution, persistence mechanisms, or obfuscation. The skill transparently describes where credentials are stored (`~/.config/zentao/config.toml`), which is expected behavior for a login utility and not an attempt at exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to use the user's ZenTao account to view products, bugs, and bug details, and the login credentials may remain on the machine after setup.
The skill requires ZenTao account credentials and stores them locally for later CLI use; this is expected for the stated login/query purpose, but it is sensitive account access.
zentao login ... --zentao-account="leo" ... --zentao-password="***" ... This writes credentials to: ~/.config/zentao/config.toml
Use the least-privileged ZenTao account suitable for the task, verify the config file permissions, and remove or rotate stored credentials if the skill is no longer needed.
Installing the package adds a global command to the local environment, so trust in the npm package matters.
The skill instructs installation of a global npm package that supplies the zentao CLI. This is disclosed and central to the purpose, but it depends on external package provenance.
pnpm i -g @leeguoo/zentao-mcp
Install from the expected npm package page, consider pinning or reviewing the package version, and install in an environment appropriate for company issue-tracker access.