ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

teambition

v1.0.0

Create and query tasks in TeamBition across multiple apps using configured project and organization settings.

0· 45·0 current·0 all-time
by@wengjianmin19850412
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (TeamBition task create/query) align with the code and SKILL.md: the skill needs TEAMBITION_APP_ID and TEAMBITION_APP_SECRET to obtain an OAuth token and call TeamBition APIs. However, the registry metadata claims no required environment variables, which contradicts both the SKILL.md and main.py and is a notable inconsistency.
Instruction Scope
SKILL.md and main.py limit actions to obtaining an access token (client_credentials) and calling TeamBition endpoints for task creation and retrieval. The instructions and code only reference TeamBition API endpoints and the declared configuration items; they do not read unrelated files or contact other external services.
Install Mechanism
No install spec is provided (instruction-only plus a small Python file). Nothing is downloaded from arbitrary URLs and no archive extraction occurs. Note: main.py uses the 'requests' library — the runtime must provide it.
!
Credentials
The secrets requested by the code (app id and app secret, optional access token) are appropriate for the stated purpose, but the published registry metadata claiming zero required env vars is inconsistent and could mislead users into not supplying necessary credentials or misrepresent the sensitivity of data requested. The skill will exchange the app secret for an access token and then send API calls to open.teambition.com (expected for this integration).
Persistence & Privilege
The skill does not request permanent/platform-wide presence (always:false). It does not modify other skills' configs and does not request elevated platform privileges.
What to consider before installing
This skill appears to be a straightforward TeamBition integration, but before installing: 1) expect to provide TEAMBITION_APP_ID and TEAMBITION_APP_SECRET (the registry incorrectly lists none) — those credentials grant the skill the ability to obtain access tokens and access your TeamBition data, so only provide them if you trust the agent. 2) Confirm the runtime has Python and the 'requests' library. 3) Prefer providing a pre-created limited-scope access token rather than full client_secret where possible, and restrict/rotate credentials after testing. 4) Be aware the skill returns raw API responses (may include org/project/task metadata). 5) Ask the publisher to correct the registry metadata to accurately list required env vars; that discrepancy reduces transparency.

Like a lobster shell, security has layers — review code before you run it.

latestvk977b6bs42sm5w1v1f7w3kx8gx83qmyp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments