Back to skill

Security audit

Test Integration

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ClickUp task-management skill that can read a ClickUp token and create or update tasks, with no evidence of hidden exfiltration, persistence, or unrelated behavior.

Install only if you want an agent to access your ClickUp workspace. Use a least-privilege ClickUp API token, avoid storing secrets in shared markdown when possible, and require explicit confirmation before creating tasks or changing statuses in important workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill automatically loads API credentials from a local file or environment and uses them to send authenticated requests to an external service without any user-facing disclosure or consent boundary. In an agent/tooling context, this can cause users to unknowingly grant the skill access to workspace data and enables silent exfiltration of task metadata to ClickUp.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill exposes write operations that create tasks and update task status on a remote ClickUp workspace without any confirmation, authorization check, or warning that remote state will be modified. In an agent setting, prompt injection or user misunderstanding could trigger unintended changes to production task data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
skill.js:30