📦

Audit-Verlauf

clickup-integration-expert - 6 Audits

Audit-Version 6

Neueste Niedriges Risiko

Jun 28, 2026, 08:54 AM

The static external-command and weak-cryptography findings are false positives caused by Markdown code fences, inline command names, and table text. The only confirmed concern is a documented setup command that adds the official ClickUp MCP endpoint and requires OAuth, which is expected for this integration.

1
Gescannte Dateien
69
Analysierte Zeilen
4
Review items
0
False positives ignored

Confirmed security concerns (1)

Niedrig
False Positive: Weak Cryptography Detection
The reported weak cryptographic algorithm findings occur on the frontmatter description and a Markdown table header. No hashing, encryption, or cryptographic API usage is present.
The exact cited lines contain descriptive text and table formatting only. There is no code that implements MD5, SHA-1, or another weak cryptographic primitive.
Capability review items (2)

These are real local capabilities that may be expected for this skill, so they require review but are not counted as confirmed malicious behavior.

Niedrig
Documented ClickUp MCP Network Endpoint
The skill instructs users to add the official ClickUp MCP endpoint and authenticate with OAuth. This is expected functionality, but users should understand that roadmap data may be sent to ClickUp during sync operations.
The endpoint and OAuth step are clearly documented, and they match the stated ClickUp integration purpose. I found no evidence of hidden or unrelated network destinations.
Niedrig
False Positive: Markdown Backtick Execution
The reported Ruby or shell backtick execution findings point to Markdown code fences, inline command names, and documentation tables. No executable Ruby code or shell backtick substitution is present.
The cited lines are Markdown documentation and command examples, not runnable skill code. The package contains only SKILL.md, so there is no script execution path.

Risikofaktoren

🌐 Netzwerkzugriff (1)
Geprüft von: codex

Audit-Version 5

Sicher

Jan 16, 2026, 04:46 PM

Pure prompt-based skill with no executable code. Only contains documentation about ClickUp integration patterns and MCP usage. No file access, network calls, or command execution capabilities. Static findings are false positives caused by the scanner misidentifying documentation formatting and JSON examples as security patterns.

2
Gescannte Dateien
113
Analysierte Zeilen
2
Review items
0
False positives ignored
Geprüft von: claude

Audit-Version 4

Sicher

Jan 16, 2026, 04:46 PM

Pure prompt-based skill with no executable code. Only contains documentation about ClickUp integration patterns and MCP usage. No file access, network calls, or command execution capabilities. Static findings are false positives caused by the scanner misidentifying documentation formatting and JSON examples as security patterns.

2
Gescannte Dateien
113
Analysierte Zeilen
2
Review items
0
False positives ignored
Geprüft von: claude

Audit-Version 3

Sicher

Jan 10, 2026, 10:17 AM

Pure prompt-based skill with no executable code. Only contains documentation about ClickUp integration patterns and MCP usage. No file access, network calls, or command execution capabilities.

1
Gescannte Dateien
69
Analysierte Zeilen
0
Review items
0
False positives ignored
Keine Sicherheitsprobleme gefunden
Geprüft von: claude

Audit-Version 2

Sicher

Jan 10, 2026, 10:17 AM

Pure prompt-based skill with no executable code. Only contains documentation about ClickUp integration patterns and MCP usage. No file access, network calls, or command execution capabilities.

1
Gescannte Dateien
69
Analysierte Zeilen
0
Review items
0
False positives ignored
Keine Sicherheitsprobleme gefunden
Geprüft von: claude

Audit-Version 1

Sicher

Jan 10, 2026, 10:17 AM

Pure prompt-based skill with no executable code. Only contains documentation about ClickUp integration patterns and MCP usage. No file access, network calls, or command execution capabilities.

1
Gescannte Dateien
69
Analysierte Zeilen
0
Review items
0
False positives ignored
Keine Sicherheitsprobleme gefunden
Geprüft von: claude