ClawHub

ClickUp

v1.2.0

Interact with ClickUp project management platform via REST API. Use when working with tasks, spaces, lists, assignees, or any ClickUp workflow automation. Handles pagination, subtasks, and common query patterns. Use for task management, reporting, automation, or any ClickUp-related queries.

9· 3.8k·21 current·21 all-time
by@shubhs0707
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the implementation: the script and docs perform ClickUp API calls and legitimately need a ClickUp API token and team ID. HOWEVER the registry metadata claims no required env vars or primary credential, which is inconsistent with the documented and implemented requirements.
Instruction Scope
SKILL.md and references only instruct calling ClickUp endpoints (api.clickup.com), using the helper script, and following pagination/subtask rules. There are no instructions to read unrelated files or exfiltrate data to unexpected endpoints. It references TOOLS.md for configuration (expected).
Install Mechanism
No install spec (instruction-only + script) — lower risk. But the helper script expects runtime tools (curl, jq, awk, sort, uniq) which the registry did not declare as required binaries; callers must ensure these exist. No downloads or executables are fetched from external URLs.
!
Credentials
The script requires CLICKUP_API_KEY and CLICKUP_TEAM_ID (sensitive token + workspace id). Those environment variables are documented in SKILL.md but are not declared in the registry metadata (no primaryEnv listed). This mismatch reduces transparency and may cause accidental misuse (e.g., supplying overly-scoped or overly-broad tokens).
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and has no install-time persistence. Autonomous invocation is allowed (platform default) but that is expected and not an intrinsic red flag alone.
What to consider before installing
This skill's code and docs implement a normal ClickUp API helper, but the package metadata failed to declare required secrets and runtime dependencies. Before installing or using it: - Confirm you will provide a ClickUp API token (CLICKUP_API_KEY) scoped minimally (read-only if possible) and the CLICKUP_TEAM_ID. Treat the token as sensitive. - Ensure the runtime environment has curl, jq, and common shell utilities the script uses. - Review scripts/clickup-query.sh yourself (it calls only api.clickup.com) and the SKILL.md to confirm there are no additional endpoints. - Prefer creating a least-privilege API token in ClickUp (limit scopes and rotate/revoke if needed). - Ask the publisher to update registry metadata to list required env vars and primary credential; lack of these declarations is a transparency problem. If you cannot verify the token scope or the author, consider running the script in an isolated environment or using direct curl calls with a temporary token instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk9747jyc6c4xz1wwebc7jbmras808cyk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments