ClawHub

Dingtalk Teambition Project

Security checks across malware telemetry and agentic risk

Overview

This is a mostly coherent Teambition integration, but it should be reviewed because it can change live project/task data and expose member details and signed file links without consistent guardrails.

Install only if you trust this skill with your Teambition account and workspace data. Prefer TEAMBITION_USER_TOKEN in your environment over user-token.json, keep any token file out of source control, and rotate the token if exposed. Before allowing the agent to archive projects or tasks, complete sprints, change task status/assignee/priority, or return attachment links, require an explicit confirmation that names the exact target. Treat printed member contact details and signed download URLs as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README advertises capabilities beyond the stated skill description, including sprint management, archiving, member management, and custom-field operations. This kind of scope mismatch can cause reviewers, users, or calling agents to underestimate what the skill can do, increasing the risk of unauthorized or unexpected state-changing actions against live Teambition data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script inventory exposes operational abilities not reflected in the skill metadata, such as archive/restore, sprint lifecycle changes, workflow status retrieval, custom-field access, and activity queries. Undeclared functionality reduces transparency and can bypass user or platform expectations about what the skill is permitted to access or modify.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script exposes archive and restore operations that are not declared in the skill manifest, creating a capability mismatch between what users and reviewers are told the skill can do and what it can actually perform. Hidden or undocumented state-changing actions are dangerous because they can be invoked unexpectedly, bypass user expectations, and weaken security review of destructive task-management behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
On ambiguous member lookup, the code prints each candidate's email address to stderr. That discloses personally identifiable information beyond what is necessary to resolve a task-management request, and the skill manifest does not justify broad email revelation as part of normal operations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script enriches task results by resolving file-type custom fields into signed download URLs and then includes those URLs in the JSON output. That expands the data exposure surface from task metadata to direct file access links, which can leak sensitive attachments to downstream consumers, logs, or users who only intended to query tasks.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script outputs the parsed `attachments` object derived from `rtfValueToken`, which may contain real attachment metadata and direct download URLs rather than just rendered text. In a task-management skill, this increases the chance of unintended data disclosure because users invoking a text-rendering helper may receive access paths to files they did not explicitly request.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to place a Teambition user token in a local JSON file without warning about file permissions, accidental commits, or secret leakage. Plaintext credential storage in project directories materially increases the chance of token exposure through source control, backups, shared workspaces, or local compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents destructive project archive/unarchive operations without any warning, confirmation, or guardrails. In an agent context, this increases the risk of accidental or prompt-induced state-changing actions against whole projects, which can disrupt visibility and workflows even if the operation is reversible.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file documents state-changing operations such as archive, restore, and mark done/undone without any warning, confirmation guidance, or discussion of user impact. In an agent skill, this increases the risk of accidental destructive or workflow-altering actions being performed from ambiguous user prompts, especially because these APIs can materially change project state.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script performs immediate remote state-changing API calls to archive or restore a task based solely on CLI arguments, with no confirmation, dry-run mode, or secondary validation. In an agent setting, this raises the risk of unintended destructive changes from prompt misunderstanding, parameter mix-ups, or malicious instruction injection, especially because archiving alters task visibility and workflow state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints personally identifiable account data, including email, phone number, employee number, role, and account status, directly to stdout and also emits the full JSON object. In CLI and agent environments, stdout is often captured in logs, traces, chat transcripts, or shared execution history, which can unintentionally expose sensitive user data beyond the immediate caller.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script deliberately returns and prints personally identifiable information including email addresses and phone numbers for matched enterprise members. In a team-management skill this may be functionally useful, but exposing more fields than are strictly necessary without access-control checks, masking, or explicit user-consent creates a privacy and data-minimization risk and can enable employee enumeration or contact harvesting if the skill is invoked broadly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
In detailed mode, the script requests signed download URLs for attachment-like custom field entries and then prints the enriched task objects to stdout. Those URLs are bearer-style access artifacts with a long lifetime (7 days), so exposing them in normal task-detail output can unintentionally leak access to files via logs, terminals, chat transcripts, or downstream tool chains.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code requests signed file URLs with the maximum 7-day expiry and emits them without any warning, masking, or sensitivity handling. If the output is shown in chat, stored in logs, or forwarded to other tools, recipients may gain reusable access to attached files beyond the original task-query intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal