ClawHub

Test Integration

v1.0.2

Manage ClickUp tasks by listing, creating, updating statuses, and retrieving details via ClickUp API using provided workspace and API token.

1· 1.5k·0 current·0 all-time
byRandom@savelieve
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md and skill.js implement a ClickUp API integration (listing/creating/updating/searching tasks), which is consistent. However the registry metadata says 'Required env vars: none' while both SKILL.md and skill.js require CLICKUP_API_TOKEN and CLICKUP_WORKSPACE_ID — this metadata mismatch is incoherent and could mislead users about what credentials are needed.
!
Instruction Scope
The runtime instructions tell the user to put credentials in TOOLS.md or env vars. The code implements that by reading a CONFIG_PATH computed as join(__dirname, '..', '..', '..', 'clawd', 'TOOLS.md'), i.e. a file outside the skill directory. Reading an external TOOLS.md is scope creep: it can expose any content in that file (not just ClickUp tokens) and the SKILL.md does not specify the exact expected path or format clearly.
Install Mechanism
There is no install spec (instruction-only install). The package contains code but it does not fetch remote artifacts or run an installer; risk from the install mechanism is low.
Credentials
Requesting CLICKUP_API_TOKEN and CLICKUP_WORKSPACE_ID is appropriate for a ClickUp integration. However these env vars are not declared in the registry metadata and the implementation additionally attempts to parse credentials from TOOLS.md (which may contain other secrets). That combination increases the chance of accidental exposure if TOOLS.md holds unrelated credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide settings, and does not ask to be persistently installed beyond normal skill code — privileges appear normal for a tool integration.
What to consider before installing
This skill implements a ClickUp integration but has two issues you should consider before installing: (1) the code will look for credentials in a TOOLS.md file located at ../../../../clawd/TOOLS.md relative to the skill, which means it will read a file outside the skill directory — verify where that file lives and what it contains (avoid keeping other secrets there); (2) the registry metadata does not list the required CLICKUP_API_TOKEN and CLICKUP_WORKSPACE_ID environment variables, so the skill may fail unless you set them or create the TOOLS.md entry. If you proceed, prefer setting the two ClickUp env vars rather than storing credentials in a shared TOOLS.md, inspect the skill.js source yourself, and ensure file permissions on any TOOLS.md prevent accidental exposure of other secrets. If you want higher assurance, ask the publisher to update registry metadata to declare the required env vars and to document the exact TOOLS.md path/format.

Like a lobster shell, security has layers — review code before you run it.

latestvk978g23bf6we4h6mqtscbqs6bh80hz46

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments