ClawHub
Back to skill
v1.0.0

teambition

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 8:31 AM.

Analysis

This is a coherent TeamBition integration that uses configured TeamBition credentials to read and create tasks, with no hidden or destructive behavior shown.

GuidanceBefore installing, make sure you are comfortable giving this skill TeamBition task read/write access. Configure it with the narrowest usable TeamBition app/token and use explicit actions when asking it to create or query tasks.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
main.py
action = params.get("action", "create_task") ... resp = requests.post(url, headers=headers, json=task_data)

Task creation is a write operation and is also the default action if no action is supplied.

User impactA valid invocation with enough task details can create a new task in TeamBition, changing the user's project workspace.
RecommendationInvoke the skill with an explicit action and confirm task title/project details before allowing automated task creation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
main.py
self.app_secret = config["TEAMBITION_APP_SECRET"] ... "scope": "task:read task:write"

The skill uses a TeamBition app secret to obtain an access token with task read and write permissions.

User impactAnyone configuring the skill grants it the ability to read and create TeamBition tasks allowed by that app/token.
RecommendationUse a least-privileged TeamBition app or token, restrict it to the intended projects where possible, and rotate the secret if access is no longer needed.