clickup

SUSPICIOUS: the skill's purpose and capabilities are mostly aligned, and the CLI install path is from a legitimate official registry package rather than a covert downloader. The main concern is data-flow integrity: ClickUp access and authentication are routed through Membrane as an intermediary, expanding trust and exposing project data to a third-party service. This is not clearly malicious, but it is a medium-risk brokered integration with unpinned CLI installation and meaningful write capability.