SS Requirements to Teambition
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can access SaleSmartly conversation data and act in Teambition as the configured user.
The workflow requires credentials for SaleSmartly and delegated Teambition access. This is expected for collecting conversations and creating tasks, but those credentials should be protected and scoped where possible.
1. **SaleSmartly API Key** — SS 后台 → 设置 → API 管理 2. **Teambition MCP** — 见 [tb_mcp_setup.md]
Use a dedicated or least-privilege account/token if available, protect config files, and revoke or rotate tokens when no longer needed.
Incorrect configuration or analysis could create unwanted or inaccurate Teambition tasks.
The agent is instructed to create Teambition tasks through MCP. This is the skill's core purpose, but it mutates a business workspace based on AI analysis.
汇总后,用 `teambition-mcp__createTaskV3` 创建任务
Test with a small tag/project first, review generated tasks before enabling automation, and keep the configured project/stage IDs tightly scoped.
A compromised or unexpected package version could affect the Teambition MCP integration.
The setup uses a globally installed npm package without a pinned version. This is normal integration plumbing, but it depends on the external package source.
npm install -g teambition-openapi-mcp
Install from the official source, consider pinning a known-good version, and review the package before granting it a User Token.
Customer chat records can persist locally and be loaded into the agent context for analysis.
The script stores collected customer conversation messages in local JSON files for later AI analysis. This is expected, but the files may contain sensitive customer or business information.
"messages": messages, ... out_path.write_text(json.dumps(output, ensure_ascii=False, indent=2))
Restrict which tags are collected, protect the scripts/data directory, avoid collecting unnecessary sensitive content, and adjust retention if 7 days is too long.
If enabled, the workflow may regularly read new conversations and create Teambition tasks without per-run confirmation.
The documentation provides an optional cron configuration that can run collection, analysis, and task creation on a schedule. It is disclosed and optional, but it performs autonomous recurring actions.
"message": "执行 SS 需求采集:1) cd scripts && python3 collect.py 2) 读取 data/ 下最新 JSON 3) 按 config.json 配置分析并创建 TB 任务"
Enable cron only after manual testing, monitor the first runs, and disable the schedule if automatic task creation is not desired.