by 下载技能包
最后更新
2026/2/27
安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to implement a legitimate ClickUp API helper, but its declared metadata omits required credentials and tool dependencies — the mismatch is concerning and should be fixed or clarified before use.
评估建议
This skill's code and docs implement a normal ClickUp API helper, but the package metadata failed to declare required secrets and runtime dependencies. Before installing or using it:
- Confirm you will provide a ClickUp API token (CLICKUP_API_KEY) scoped minimally (read-only if possible) and the CLICKUP_TEAM_ID. Treat the token as sensitive.
- Ensure the runtime environment has curl, jq, and common shell utilities the script uses.
- Review scripts/clickup-query.sh yourself (it calls only api.cli...详细分析 ▾
ℹ 用途与能力
Name/description match the implementation: the script and docs perform ClickUp API calls and legitimately need a ClickUp API token and team ID. HOWEVER the registry metadata claims no required env vars or primary credential, which is inconsistent with the documented and implemented requirements.
✓ 指令范围
SKILL.md and references only instruct calling ClickUp endpoints (api.clickup.com), using the helper script, and following pagination/subtask rules. There are no instructions to read unrelated files or exfiltrate data to unexpected endpoints. It references TOOLS.md for configuration (expected).
ℹ 安装机制
No install spec (instruction-only + script) — lower risk. But the helper script expects runtime tools (curl, jq, awk, sort, uniq) which the registry did not declare as required binaries; callers must ensure these exist. No downloads or executables are fetched from external URLs.
⚠ 凭证需求
The script requires CLICKUP_API_KEY and CLICKUP_TEAM_ID (sensitive token + workspace id). Those environment variables are documented in SKILL.md but are not declared in the registry metadata (no primaryEnv listed). This mismatch reduces transparency and may cause accidental misuse (e.g., supplying overly-scoped or overly-broad tokens).
✓ 持久化与权限
Skill does not request always:true, does not modify other skills, and has no install-time persistence. Autonomous invocation is allowed (platform default) but that is expected and not an intrinsic red flag alone.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.2.02026/1/29
Updated API patterns, improved pagination handling, better assignee filtering, added task count queries
● 无害
安装命令
点击复制官方npx clawhub@latest install clickup
镜像加速npx clawhub@latest install clickup --registry https://cn.longxiaskill.com