clickup

SUSPICIOUS. The skill’s purpose is coherent for ClickUp task/doc management, and its data flow appears intended for ClickUp. However, it hinges on an unverified global `clickup` CLI with no documented provenance in the supplied skill, while official ClickUp docs more clearly support direct API/OAuth and an official MCP path. That external dependency trust gap makes the skill high security risk even without clear evidence of malware.