ClawHub

ClickUp Operator

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed ClickUp task-routing skill that can change live ClickUp data, but the behavior matches its stated purpose and no hidden code, exfiltration, or destructive mechanism was found.

Install only if you want the agent to make live ClickUp changes on your behalf. Use a test list or the safe-live smoke test first, keep tokens out of chat/logs, verify the config points to the right workspace and lists, and be explicit when asking it to move, assign, reschedule, or create work.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly promotes low-friction, immediate ClickUp actions and says to act without unnecessary confirmation, which increases the chance of unintended writes to user project data. In an agentic context that can create, move, assign, and due-date tasks, missing explicit guardrails around destructive or state-changing actions can lead to accidental modification of lists, assignments, and workflow state.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The default prompt is broadly framed to help create, route, update, and read ClickUp work with minimal back-and-forth, but it does not define clear activation boundaries, authorization checks, or confirmation requirements for state-changing actions. In a task-management skill that can create, move, assign, or due-date work, this increases the risk of unintended or overly permissive execution when a user request is ambiguous or when prompt injection attempts try to steer actions without sufficient validation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The smoke test explicitly instructs running against a real ClickUp workspace and includes prompts that create tasks and ideas, but it does not warn that these actions will write persistent data to production-like state. This can lead to unintended task creation, workspace pollution, and accidental changes during testing, especially if operators assume the test is read-only or safe to run casually.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The onboarding text directs the agent to help with ClickUp auth/token retrieval and to store or reference the token in a local environment path, but it does not include safeguards for secret handling. In an agent-driven setup flow, this can lead to credentials being exposed in chat, written to insecure files, logged, or stored in the wrong location, increasing the chance of account compromise.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The rule defines general to-dos using broad natural-language cues such as 'reminder,' 'action item,' or any 'plainly actionable one-off task,' which can cause the agent to interpret ordinary conversation as an instruction to create or modify ClickUp tasks. In a skill designed to execute immediately with minimal confirmation, this increases the risk of unintended task creation, misrouting, and silent workflow changes from ambiguous user phrasing.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal