clickup-skill Security Audit Report
clickup-skill is an AI agent skill, created by d3layd and published at openclaw/skills. ClawSecure audited clickup-skill across 8 files through the 3-Layer Audit Protocol covering all ten OWASP ASI Top 10 categories, assigning a security score of 0/100 (High Risk). The 13 findings concentrate in Data Exfiltration, Resource Abuse and Policy Violation, including Script accesses environment variables and makes network calls in... and Script accesses environment variables and makes network calls in.... 6 were rated high or critical severity.
Is clickup-skill safe?
ClawSecure audited clickup-skill and assigned a security score of 0/100 (High Risk), identifying 13 findings across Data Exfiltration and Resource Abuse. Review the findings below before installing.
What did ClawSecure find in clickup-skill?
ClawSecure identified 13 findings in clickup-skill, concentrated in Data Exfiltration, Resource Abuse and Policy Violation. 6 were rated high or critical severity. The most severe include Script accesses environment variables and makes network calls in... and Script accesses environment variables and makes network calls in....
How was clickup-skill audited?
ClawSecure ran clickup-skill through its 3-Layer Audit Protocol with full OWASP ASI Top 10 coverage, scanning 8 files from openclaw/skills.
What does a score of 0 mean?
ClawSecure assigned clickup-skill a security score of 0/100, placing it in the High Risk range. This is driven by 13 findings led by Data Exfiltration that should be addressed before use. ClawSecure derives this score with a weighted deduction model (critical -20, high -10, medium -5, low -2 from a base of 100).
Audit Findings for clickup-skill
ClawSecure detected 13 security findings in clickup-skill, spanning Data Exfiltration, Resource Abuse, Policy Violation and Unauthorized Tool Use.
- critical · Script accesses environment variables and makes network calls in.... Data Exfiltration finding detected in
/tmp/url-scans/f89f1c56cd47caeb/scripts/clickup_client.py. - critical · Script accesses environment variables and makes network calls in.... Data Exfiltration finding detected in
/tmp/url-scans/f89f1c56cd47caeb/clickup/scripts/clickup_client.py. - critical · Multi-file exfiltration chain detected: scripts/clickup_client.py,.... Data Exfiltration finding.
- critical · Environment variable access with network calls in.... Data Exfiltration finding.
- high · Pattern detected: while True:. Resource Abuse finding detected in
scripts/clickup_client.py:427. - high · Pattern detected: while True:. Resource Abuse finding detected in
clickup/scripts/clickup_client.py:427. - medium · Pattern detected: import requests. Data Exfiltration finding detected in
scripts/clickup_client.py:11. - medium · Pattern detected: import requests. Data Exfiltration finding detected in
clickup/scripts/clickup_client.py:11. - medium · Skill code uses network libraries but doesn't declare network.... Unauthorized Tool Use finding.
- medium · Script iterates through environment variables in.... Data Exfiltration finding detected in
/tmp/url-scans/f89f1c56cd47caeb/scripts/clickup_client.py. - medium · Script iterates through environment variables in.... Data Exfiltration finding detected in
/tmp/url-scans/f89f1c56cd47caeb/clickup/scripts/clickup_client.py. - medium · Missing config.json - agent may not be properly configured. Permissions Manifest finding.
Showing the 12 highest-severity of 13 findings. The full interactive list appears below.
3-Layer Audit Protocol
Security Recommendations for clickup-skill
Audit external network connections
Resolve policy violations
Add a config.json permissions manifest
Related Security Research
ClawHavoc Explained: The Malware Family Targeting AI Agents→Beyond Static Scans: Why ClawSecure Verifies Agentic Intent→Related AI Agent Security Audits
Scanned on February 14, 2026. clickup-skill is one of thousands of agents audited by ClawSecure from the community-curated awesome-openclaw-skills list and the openclaw/skills repository.