Is d3layd/clickup-skill safe?

https://github.com/openclaw/skills/tree/main/skills/d3layd/clickup-skill

89
SAFE

The d3layd/clickup-skill is a legitimate ClickUp project management integration with no prompt injection, malware, or active credential exfiltration behavior. The Python code is clean, communicates exclusively with the official ClickUp API, and the canary integrity check confirms zero honeypot file compromise. The primary concerns are operational: the skill exposes destructive delete operations an LLM agent could misuse, and the root SKILL.md inadvertently leaks apparent real client workspace names, indicating the author published a personal deployment without sanitizing it for public distribution.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 72/100 · 5%

Findings (6)

MEDIUM Destructive CRUD Operations Available to Agent -18

The skill exposes delete_space(), delete_folder(), delete_list(), and delete_task() as first-class CLI commands. An LLM agent responding to ambiguous user instructions (e.g., 'clean up the old projects') could invoke these and permanently destroy ClickUp data with no confirmation mechanism in the skill layer.

LOW Canary Credential Files Accessed Read-Only During Audit -15

All six honeypot credential files were opened and read during the audit window. Timing analysis (10:09:48, pre-install) and CLOSE_NOWRITE flags confirm these were accessed by the oathe monitoring infrastructure during setup, not by skill code. A second access batch at 10:10:13 (post-install) matches the monitoring system's integrity verification pass. The Python script contains no credential-reading logic and the canary system reports all files intact.

LOW Real Client Workspace Names Leaked in Root SKILL.md -10

The root-level SKILL.md references specific workspace names 'Elevated, Atrium, Winch Life' while the canonical clickup/SKILL.md uses generic placeholders ('Client Work, Product Development, Personal Projects'). This indicates the author copy-pasted their personal instance of the skill without sanitizing client-identifying information. While not a prompt injection attack, it creates misleading context for users who install the skill and see workspace names that don't match their own.

LOW Unbounded Workspace Data Enumeration -10

The get_all_tasks command fetches up to 1000 tasks from a workspace with automatic pagination. Combined with standup_report, assignee_breakdown, and task_counts, this can surface sensitive project timelines, client names, and team workloads into the agent's context. If the agent is also running a skill with external network access, this data could be inadvertently shared.

INFO Python Script with External HTTP Dependency -12

The skill ships an executable Python script requiring pip:requests. The script is well-structured with no shell execution, no eval/exec, and no subprocess calls. All HTTP traffic targets api.clickup.com and api.clickup.com/api/v3 exclusively. The requests library is a well-audited, widely-used dependency.

INFO Clean Sparse-Checkout Installation -5

The skill installed cleanly from the openclaw monorepo. The install script used git sparse-checkout to extract only the relevant skill subdirectory and copied files to the expected destination. No unexpected files, processes, or network connections were observed.