by 下载技能包
最后更新
2026/2/28
安全扫描
OpenClaw
可疑
medium confidenceThe skill appears to implement a ClickUp integration as advertised, but it reads a TOOLS.md file three directories up (potentially exposing unrelated secrets) and the registry metadata does not declare the environment variables the code actually requires — these mismatches warrant caution.
评估建议
This skill implements a ClickUp integration but has two issues you should consider before installing: (1) the code will look for credentials in a TOOLS.md file located at ../../../../clawd/TOOLS.md relative to the skill, which means it will read a file outside the skill directory — verify where that file lives and what it contains (avoid keeping other secrets there); (2) the registry metadata does not list the required CLICKUP_API_TOKEN and CLICKUP_WORKSPACE_ID environment variables, so the skil...详细分析 ▾
⚠ 用途与能力
SKILL.md and skill.js implement a ClickUp API integration (listing/creating/updating/searching tasks), which is consistent. However the registry metadata says 'Required env vars: none' while both SKILL.md and skill.js require CLICKUP_API_TOKEN and CLICKUP_WORKSPACE_ID — this metadata mismatch is incoherent and could mislead users about what credentials are needed.
⚠ 指令范围
The runtime instructions tell the user to put credentials in TOOLS.md or env vars. The code implements that by reading a CONFIG_PATH computed as join(__dirname, '..', '..', '..', 'clawd', 'TOOLS.md'), i.e. a file outside the skill directory. Reading an external TOOLS.md is scope creep: it can expose any content in that file (not just ClickUp tokens) and the SKILL.md does not specify the exact expected path or format clearly.
✓ 安装机制
There is no install spec (instruction-only install). The package contains code but it does not fetch remote artifacts or run an installer; risk from the install mechanism is low.
ℹ 凭证需求
Requesting CLICKUP_API_TOKEN and CLICKUP_WORKSPACE_ID is appropriate for a ClickUp integration. However these env vars are not declared in the registry metadata and the implementation additionally attempts to parse credentials from TOOLS.md (which may contain other secrets). That combination increases the chance of accidental exposure if TOOLS.md holds unrelated credentials.
✓ 持久化与权限
The skill does not request always:true, does not modify other skills or system-wide settings, and does not ask to be persistently installed beyond normal skill code — privileges appear normal for a tool integration.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.22026/2/5
- Added integration documentation for the ClickUp API, including authentication, common API actions, and endpoints. - Provided clear guidance for task assignment between humans, AI, and collaborative work. - Included example API requests for listing, creating, updating, and retrieving tasks. - Documented required request headers and common status values. - Outlined error handling for common issues such as authentication, missing resources, and rate limiting.
● 无害
安装命令
点击复制官方npx clawhub@latest install test-manager
镜像加速npx clawhub@latest install test-manager --registry https://cn.longxiaskill.com