← Back to Skills Marketplace

Clickup Task

Name: Clickup Task
Author: visionplay303

by VisionPlay303 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

113

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install clickup-task

Description

Create tasks in Vision Play ClickUp lists (visionplay or inbox).

README (SKILL.md)

Usage (Telegram / Chat)

Use the slash command:

/clickup-task \x3Clist> "\x3Ctitle>" "\x3Cdescription>"

\x3Clist> must be: visionplay OR inbox
title is required
description is optional (use "" if you want blank)

Examples: /clickup-task visionplay "Follow up with Rahul" "Ask for proposal + timeline" /clickup-task inbox "Review tax doc" ""

What this skill does

It runs this script on the server:

/usr/local/bin/clickup_create_task.sh \x3Clist> "\x3Ctitle>" "\x3Cdescription>"

Execution instructions (for the agent)

When the user invokes this command:

Parse list/title/description exactly.
Run:

bash -lc '/usr/local/bin/clickup_create_task.sh "\x3Clist>" "\x3Ctitle>" "\x3Cdescription>"'

Return ClickUp API response (or any error text) to the user.

Usage Guidance

This skill appears to do what it says (create ClickUp tasks) and only asks for a ClickUp token and list IDs, but the actual work is delegated to a server script (/usr/local/bin/clickup_create_task.sh) that is not included for review. Before installing or enabling this skill: 1) inspect the script at /usr/local/bin/clickup_create_task.sh to confirm it only calls the ClickUp API and does not read or transmit other data; 2) ensure the agent will properly escape or validate user-supplied title/description to prevent shell injection; 3) use a ClickUp token with minimal scope (dedicated service account or limited permissions) in case the script is compromised; and 4) if you cannot review the script, consider rejecting or requesting the skill author provide the script source or embed the minimal HTTP-curl logic in the skill bundle for auditability.

Capability Analysis

Type: OpenClaw Skill Name: clickup-task Version: 1.0.0 The skill bundle exhibits a critical shell injection vulnerability in SKILL.md, where user-provided inputs (list, title, description) are directly interpolated into a 'bash -lc' command string. Furthermore, the skill relies on an external script located at /usr/local/bin/clickup_create_task.sh which is not included in the bundle, preventing a full security audit of the execution logic. While these represent significant security risks, there is no clear evidence of intentional malice or data exfiltration.

Capability Assessment

✓ Purpose & Capability

Name and description align with required items: bash/curl and CLICKUP_TOKEN plus two ClickUp list IDs are expected for creating ClickUp tasks.

⚠ Instruction Scope

The SKILL.md tells the agent to execute /usr/local/bin/clickup_create_task.sh with user-provided arguments. The script itself is not included, so its behavior cannot be audited. The instructions also don't require explicit validation or escaping of user inputs (title/description), which creates a risk of shell/command injection or unexpected side effects from the underlying script.

ℹ Install Mechanism

This is instruction-only with no install spec (low install risk). However, it depends on a pre-existing binary at /usr/local/bin/clickup_create_task.sh that the bundle does not install or disclose, which is unusual and prevents review of what will actually run.

✓ Credentials

Requested environment variables (CLICKUP_TOKEN and two CLICKUP_LIST_* IDs) are proportionate to the described task-creation use case. No unrelated secrets are requested.

✓ Persistence & Privilege

always is false and the skill has no install/persistence behavior. It does allow normal autonomous invocation (platform default) but does not request elevated persistent privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install clickup-task
After installation, invoke the skill by name or use /clickup-task
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release of clickup-task skill. - Enables creation of tasks in specific ClickUp lists (visionplay or inbox) via slash command. - Accepts task title (required) and description (optional). - Executes a server-side script to submit tasks to ClickUp. - Returns the ClickUp API response or any error message to the user.

Metadata

Slug clickup-task

Version 1.0.0

License MIT-0

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Clickup Task?

Create tasks in Vision Play ClickUp lists (visionplay or inbox). It is an AI Agent Skill for Claude Code / OpenClaw, with 113 downloads so far.

How do I install Clickup Task?

Run "/install clickup-task" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Clickup Task free?

Yes, Clickup Task is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Clickup Task support?

Clickup Task is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Clickup Task?

It is built and maintained by VisionPlay303 (@visionplay303); the current version is v1.0.0.

More Skills