📦 Clickup Task — 创建任务
v1.0.0在 Vision Play ClickUp 的 visionplay 或 inbox 列表中快速创建任务,自动同步标题、描述、优先级等信息,无需切换界面即可把想法直接落地到项目管理看板。
0· 96·1 当前·1 累计
by 下载技能包
最后更新
2026/3/25
安全扫描
OpenClaw
可疑
medium confidenceThe skill's stated purpose (creating ClickUp tasks) matches the requested credentials, but it relies on an external server-side script at /usr/local/bin/clickup_create_task.sh that is not included or described, and the runtime instructions leave room for command-injection and unreviewed behavior.
评估建议
This skill appears to do what it says (create ClickUp tasks) and only asks for a ClickUp token and list IDs, but the actual work is delegated to a server script (/usr/local/bin/clickup_create_task.sh) that is not included for review. Before installing or enabling this skill: 1) inspect the script at /usr/local/bin/clickup_create_task.sh to confirm it only calls the ClickUp API and does not read or transmit other data; 2) ensure the agent will properly escape or validate user-supplied title/descr...详细分析 ▾
✓ 用途与能力
Name and description align with required items: bash/curl and CLICKUP_TOKEN plus two ClickUp list IDs are expected for creating ClickUp tasks.
⚠ 指令范围
The SKILL.md tells the agent to execute /usr/local/bin/clickup_create_task.sh with user-provided arguments. The script itself is not included, so its behavior cannot be audited. The instructions also don't require explicit validation or escaping of user inputs (title/description), which creates a risk of shell/command injection or unexpected side effects from the underlying script.
ℹ 安装机制
This is instruction-only with no install spec (low install risk). However, it depends on a pre-existing binary at /usr/local/bin/clickup_create_task.sh that the bundle does not install or disclose, which is unusual and prevents review of what will actually run.
✓ 凭证需求
Requested environment variables (CLICKUP_TOKEN and two CLICKUP_LIST_* IDs) are proportionate to the described task-creation use case. No unrelated secrets are requested.
✓ 持久化与权限
always is false and the skill has no install/persistence behavior. It does allow normal autonomous invocation (platform default) but does not request elevated persistent privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/3/25
Initial release of clickup-task skill. - Enables creation of tasks in specific ClickUp lists (visionplay or inbox) via slash command. - Accepts task title (required) and description (optional). - Executes a server-side script to submit tasks to ClickUp. - Returns the ClickUp API response or any error message to the user.
● 可疑
安装命令
点击复制官方npx clawhub@latest install clickup-task
镜像加速npx clawhub@latest install clickup-task --registry https://cn.longxiaskill.com