Test Integration

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ClickUp task-management integration that uses a ClickUp token and can create or update tasks, with no evidence of hidden exfiltration or persistence.

Install only if you want an agent to act in your ClickUp workspace. Use a least-privilege ClickUp API token, avoid storing the token in shared markdown if possible, and require explicit confirmation before creating tasks or changing statuses in important workspaces.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The skill reads ClickUp credentials from a local markdown file and environment variables, which expands secret-access scope beyond what is explicitly disclosed by the tool interface. In an agent setting, this is dangerous because the skill can silently harvest sensitive tokens from unrelated local configuration and immediately use them for API access, increasing the risk of unauthorized data access if the skill is installed or invoked unexpectedly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill documents state-changing ClickUp operations such as task creation and status updates, but it does not clearly warn that these actions will modify live external workspace data. In an agent setting, omission of an explicit mutation warning can lead to unintended writes, workflow disruption, or accidental changes to production task state when a user expected read-only behavior.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill accesses secrets from local config and environment without any explicit user-facing warning or consent mechanism. In agent ecosystems, silent secret access is risky because users may not realize the skill can read locally available credentials and act on their behalf, enabling unintended account access and data exposure.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The skill sends authenticated requests and user-supplied task content to ClickUp without explicit disclosure that data will leave the local environment. This matters because task names, descriptions, search queries, and identifiers may contain sensitive business information, and users may not expect external transmission from a local skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal