clickup

[Skill Scanner] Natural language instruction to download and install from URL detected All findings: [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] [HIGH] command_injection: Backtick command substitution detected (CI003) [AITech 9.1.4] The document describes a legitimate integration pattern (managed OAuth gateway) but centralizes high-impact credentials and API traffic with a third party (Maton). The content itself contains no overt malware or obfuscation, however the gateway design creates a material supply-chain/trust risk: possession or compromise of MATON_API_KEY or Maton control APIs could allow broad access to ClickUp accounts, webhook secrets, and data. Recommend verifying Maton's security posture, using scoped/rotated keys, and minimizing exposure of MATON_API_KEY in operational environments before adopting this integration. LLM verification: This skill is a ClickUp integration that intentionally proxies all API calls and OAuth flows through Maton-managed services (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai). Functionality matches the stated purpose (managed OAuth and API proxying), but the design centralizes sensitive data and OAuth tokens with a third party. That centralization is not itself evidence of malware, but it increases the attack surface and requires users to trust Maton with credentials and ClickUp data. No immedi