clickup
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on a local Python script,
skills/clickup/scripts/clickup_client.py, to perform operations. The documentation provides numerous examples of executing this script via the command line to manage tasks, workspaces, and reporting. - [PROMPT_INJECTION]: The skill possesses an attack surface for indirect prompt injection because it retrieves and processes content (such as task names, descriptions, and document text) from the ClickUp API which is under the control of potentially untrusted users.
- Ingestion points: Data enters the agent's context through commands like
get_task,get_tasks,get_all_tasks, andget_doclocated inskills/clickup/scripts/clickup_client.pywhich fetch external content from ClickUp. - Boundary markers: No specific delimiters or instructions to ignore embedded commands are documented for the data retrieved from ClickUp.
- Capability inventory: The skill has broad capabilities including creating and updating tasks, spaces, folders, lists, and documents, as well as managing time tracking and dependencies via
skills/clickup/scripts/clickup_client.py. - Sanitization: The documentation does not mention any sanitization or validation of the content retrieved from ClickUp before it is processed by the agent.
Audit Metadata