Clickup Project Management

v1.0.10

Manage ClickUp via natural language. Uses the taazkareem.com remote MCP server. A license key is required for full tool access (unlicensed calls return check...

⭐ 0· 426·2 current·2 all-time

byTalib Kareem@taazkareem

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description match the behavior: the skill proxies ClickUp operations through the taazkareem.com MCP server and declares CLICKUP_MCP_LICENSE_KEY as the required credential.

ℹ

Instruction Scope

SKILL.md explicitly instructs enabling the bundled mcporter client and configuring it to send the license key and any ClickUp OAuth tokens to the remote MCP server. This behavior is necessary for the described proxying function but does involve transmitting sensitive workspace data and tokens to a third party.

✓

Install Mechanism

Instruction-only skill with no install spec or downloaded code; nothing is written or executed by the skill itself beyond instructing use of an existing mcporter client.

ℹ

Credentials

The only declared required environment variable is CLICKUP_MCP_LICENSE_KEY, which is reasonable. However, the runtime flow creates and transmits a ClickUp OAuth access token (via mcporter auth) to the remote server; while functionally necessary, that sensitive token is not declared as a required env var and will be exfiltrated to the third party.

✓

Persistence & Privilege

The skill does not request always:true, does not modify other skills, and is user-invocable only. It stores a license key in typical OpenClaw config paths and mcporter caches tokens locally as documented.

Assessment

This skill works by sending your ClickUp OAuth token, license key, and task payloads to a third-party server (clickup-mcp.taazkareem.com). That behavior is documented in SKILL.md, so the risk is transparency rather than deception. Before installing: (1) only proceed if you trust the operator and have reviewed the referenced GitHub repo; (2) consider using read-only or limited 'persona' headers to restrict what the server can do; (3) be aware your ClickUp OAuth token will be cached locally (~/.mcporter) and transmitted — revoke the token if you later stop trusting the service; (4) if you need stronger guarantees, host your own MCP proxy or use ClickUp's official API integrations instead. If you want a stricter assessment, provide the mcporter client code and the MCP server source (or confirmation of a trusted release) so we can verify there is no hidden exfiltration or unexpected behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk979gqdxn9msg1b4fs6562ckz981zm1k

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis

EnvCLICKUP_MCP_LICENSE_KEY

Primary envCLICKUP_MCP_LICENSE_KEY

SKILL.md

ClickUp Project Management

Manage your ClickUp workspace using the ClickUp MCP Server via the bundled mcporter skill.

External Endpoints

URL	Data Sent	Purpose
`https://clickup-mcp.taazkareem.com/mcp`	License key (via `X-License-Key` header), ClickUp OAuth access token (via `Authorization` header), MCP tool call payloads (task names, IDs, field values, etc.)	Remote MCP server that proxies ClickUp API v2 calls on your behalf
`https://api.clickup.com/api/v2/*`	ClickUp OAuth token (proxied by the MCP server)	Upstream ClickUp API — requests are made by the remote server, not directly from your machine

Security & Privacy

What stays local: Your CLICKUP_MCP_LICENSE_KEY is stored in ~/.openclaw/openclaw.json (or your shell environment). OAuth tokens are cached locally by mcporter in ~/.mcporter/.
What leaves your machine: Every MCP tool call sends your license key and ClickUp OAuth token to the remote server at clickup-mcp.taazkareem.com. Tool call payloads (task data, workspace hierarchy, etc.) are also transmitted.
No scripts or code execution: This is an instruction-only skill — it does not install or run any scripts on your machine. It relies on the bundled mcporter client.
OAuth tokens: The mcporter auth ClickUp flow creates a ClickUp OAuth access token that is stored locally and transmitted to the remote MCP server with each call — the server uses it to proxy requests to the ClickUp API on your behalf.

Trust statement: By using this skill, your ClickUp workspace data and OAuth credentials are transmitted to and processed by a third-party server (clickup-mcp.taazkareem.com) operated by Talib Kareem. Only install this skill if you trust this operator and have reviewed the project repository.

Prerequisites

Enable mcporter in ~/.openclaw/openclaw.json:

{
  "skills": {
    "allowBundled": ["mcporter"]
  }
}

Configure ClickUp (one-time setup):

# Use the $CLICKUP_MCP_LICENSE_KEY env provided by the skill metadata
mcporter config add ClickUp https://clickup-mcp.taazkareem.com/mcp \
  --auth oauth \
  --header "X-License-Key=$CLICKUP_MCP_LICENSE_KEY"

Authenticate (tokens are cached):
```
mcporter auth ClickUp
```

Optimization: Tool Filtering Personas

To reduce context noise and improve AI accuracy, you can limit the tools available to your agent using the X-Enabled-Tools header in your mcporter config.

Proactive Agent Rule: If the current task aligns with one of these personas, you should dynamically apply the filtering header by re-running the mcporter config add command with the appropriate X-Enabled-Tools or X-Disabled-Tools flag.

Recommended Presets

Persona	Purpose	Header Config
Auditor	Read-only access	`--header X-Enabled-Tools=get_workspace_hierarchy,get_workspace_tasks,get_task,get_list,get_folder,get_list_custom_fields,get_task_comments,get_task_time_entries,get_workspace_time_entries,get_current_time_entry,get_task_links,get_space_tags,get_workspace_members,find_member_by_name,get_chat_channels,get_chat_messages,get_document,list_documents,list_document_pages,get_document_pages,submit_feedback`
Task Worker	Daily task mgmt	`--header X-Enabled-Tools=get_workspace_hierarchy,get_workspace_tasks,get_task,get_list,get_folder,get_list_custom_fields,create_task,update_task,set_task_custom_field,move_task,duplicate_task,create_task_comment,get_task_comments,attach_task_file,start_time_tracking,stop_time_tracking,add_tag_to_task,remove_tag_from_task,add_task_link,delete_task_link,get_task_links,add_task_to_list,remove_task_from_list,find_member_by_name,submit_feedback`
Time Specialist	Tracking & Reports	`--header X-Enabled-Tools=get_workspace_hierarchy,get_workspace_tasks,get_task,get_task_time_entries,get_workspace_time_entries,get_current_time_entry,start_time_tracking,stop_time_tracking,add_time_entry,delete_time_entry,submit_feedback`
Content Mgr	Docs & Chat	`--header X-Enabled-Tools=get_workspace_hierarchy,get_workspace_tasks,get_task,get_task_comments,create_task_comment,find_member_by_name,create_document,get_document,list_documents,list_document_pages,get_document_pages,create_document_page,update_document_page,create_chat_channel,get_chat_channels,create_chat_message,get_chat_messages,submit_feedback`
Safe Power User	Full access (No Delete)	`--header X-Disabled-Tools=delete_task,delete_bulk_tasks,delete_time_entry,delete_task_link,delete_list,delete_folder,delete_space_tag`

How to Apply

To switch to a persona (e.g., Task Worker), run:

mcporter config add ClickUp https://clickup-mcp.taazkareem.com/mcp \
  --header "X-License-Key=$CLICKUP_MCP_LICENSE_KEY" \
  --header "X-Enabled-Tools=get_workspace_hierarchy,..."

Personalization & Workflows

Following the OpenClaw standard, do not modify this skill for environment-specific details. Instead, use your agent's workspace/TOOLS.md file to define:

Custom Workflows: Define multi-step orchestrations (e.g., "Daily Wrap-up").
Specific IDs: Store commonly used team_id, list_ids, folder_ids, etc.
Structures or Conventions: Any rules or consistent behavior (e.g., common custom fields, tag rules, etc.)

Usage

Use the standard mcporter command pattern:

mcporter call ClickUp.<tool_name> [parameters]

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…