Back to skill

Security audit

ClickUp

Security checks across malware telemetry and agentic risk

Overview

This ClickUp skill is aligned with its stated purpose, but it exposes live create, update, and delete operations without clear confirmation or safety boundaries.

Install only if you are comfortable giving the agent access to your ClickUp workspace. Treat it as write-capable: require explicit confirmation before creating, updating, assigning, changing status, or deleting tasks, and prefer a limited ClickUp API token or test workspace where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to use shell commands (`curl`, helper scripts, loops, and `jq`) but does not declare any permissions or safety boundaries for shell execution. This creates an execution-capability mismatch that can lead to unintended command execution, easier extension into unsafe shell usage, and reduced visibility for reviewers about the skill's true power.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The description uses broad invocation language such as task management, reporting, automation, and any ClickUp-related queries, making it easy for the skill to be selected for many ordinary prompts. Over-broad matching increases the chance the agent will invoke a networked, shell-capable skill in situations where it is unnecessary, exposing tokens and remote project data to more workflows than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents task creation and update operations but does not warn that these actions modify remote project data. In an agent setting, this omission can cause unintended state changes in a live ClickUp workspace, including task creation, reassignment, status changes, and priority edits, especially if invoked from ambiguous user requests.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide includes ready-to-run POST and PUT examples that modify remote ClickUp state without any warning, confirmation requirement, or emphasis that these operations are destructive to live project data. In an agent skill context, examples often become implementation guidance, so this omission can lead an agent or user to create or alter tasks unintentionally in production workspaces.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Listing a DELETE endpoint in a quick reference without marking it as destructive normalizes irreversible operations alongside safe read actions. In a workflow automation skill, that increases the chance an agent or operator will invoke deletion without understanding the consequence, potentially causing loss of tasks or project records.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.