ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

teambitionweng

v1.0.0

Create and query tasks in TeamBition with support for multiple app configurations and automatic token management.

0· 42·0 current·0 all-time
by@wengjianmin19850412·duplicate of @wengjianmin19850412/teambition
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (TeamBition task create/query) align with the code and SKILL.md: the skill uses TeamBition OAuth and API endpoints to create and query tasks. However, the registry metadata lists no required environment variables while the SKILL.md and main.py clearly require TEAMBITION_APP_ID and TEAMBITION_APP_SECRET (and optionally access token, org_id, default_project_id). That metadata omission is inconsistent and meaningful for security decisions.
Instruction Scope
SKILL.md and main.py only describe/perform actions related to TeamBition: obtaining an access token via the official oauth endpoint and calling TeamBition task APIs. There are no instructions to read local files, other environment variables, or to send data to unrelated external endpoints.
Install Mechanism
There is no install spec (instruction-only with a small Python file). Nothing is downloaded or installed by the skill itself; risk from install mechanism is low.
!
Credentials
The skill legitimately requires sensitive credentials (app id and secret, and optionally an access token). Those requests are proportionate to the task. However, the registry metadata does not declare any required env vars or primary credential, creating an inconsistency: the platform/user must be informed that they need to provide secrets before binding. Requesting app secret is normal here but you should confirm how the platform will store/protect them.
Persistence & Privilege
always is false and the skill doesn't attempt to modify other skills or agent-wide settings. It does network calls to TeamBition but does not request persistent platform-level privileges beyond normal secret storage.
What to consider before installing
This skill appears to do what it says (create/query TeamBition tasks), but the registry metadata fails to declare the required credentials (TEAMBITION_APP_ID and TEAMBITION_APP_SECRET) that the SKILL.md and code require. Before installing: (1) confirm with the publisher or registry why required credentials are not listed and ensure the platform will prompt for and securely store them; (2) only supply a TeamBition app with minimal scopes (task:read/task:write) and ideally a test account; (3) verify network calls go to open.teambition.com and review the app's permissions in TeamBition; (4) consider testing in an isolated environment first. If the publisher cannot explain the missing metadata, treat the skill as untrusted until that is fixed.

Like a lobster shell, security has layers — review code before you run it.

latestvk979svrz7we5tkkat198kky9xd83qevw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments