ClickUp MCP

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate ClickUp MCP skill, but it asks users to reuse a long-lived ClickUp OAuth token and gives the agent broad ClickUp workspace write and messaging abilities without strong scoping guidance.

Install only if you are comfortable giving the agent broad access to your ClickUp workspace. Treat CLICKUP_TOKEN like a password, keep the env file private, prefer the least-privileged ClickUp account or workspace available, and require explicit confirmation before the agent updates tasks/docs, logs time, adds comments, uploads attachments, or sends chat messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill provides explicit instructions to extract an OAuth access token from a local credentials file and store it manually in an environment file, but it does not warn that this token is sensitive, long-lived, and equivalent to account access. This increases the chance users will mishandle, overexpose, or persist the token insecurely outside the original OAuth client boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal