clickup-mcp

SUSPICIOUS. The stated ClickUp purpose is legitimate and the remote MCP endpoint is official, but the skill's core workaround is not: it extracts a long-lived OAuth token from Claude's credential file, stores it in a new env file, and forwards it to mcporter, a non-ClickUp tool with unclear trust. That creates disproportionate credential-handling and supply-chain risk even without clear evidence of malware.