clickup
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill enables the ingestion of untrusted data from the ClickUp workspace, creating a surface for indirect prompt injection attacks where malicious instructions in task names or descriptions could influence the agent.
- Ingestion points: Content is retrieved via multiple tools including
clickup_search,clickup_get_task, andclickup_get_task_commentsinapp.py. - Boundary markers: The skill does not implement delimiters or safety instructions to separate retrieved workspace data from system instructions.
- Capability inventory: The skill has extensive write permissions, including
clickup_create_task,clickup_send_chat_message, andclickup_update_document_pageinapp.py. - Sanitization: There is no evidence of sanitization or filtering of data retrieved from the ClickUp API before it enters the agent's context.
- [SAFE]: The skill connects to a remote Model Context Protocol (MCP) server at
https://mcp.clickup.com/mcp. This is a subdomain ofclickup.com, which is a well-known and trusted technology service. - [SAFE]: Authentication tokens are stored in the user's home directory (
~/.mcp-skill/auth/), which is standard practice for this type of agent integration. - [SAFE]: Dependencies are limited to
mcp-skill, a common library for building Model Context Protocol skills.
Audit Metadata