← 返回 Skills 市场
visionplay303

Clickup Task

作者 VisionPlay303 · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
113
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install clickup-task
功能描述
Create tasks in Vision Play ClickUp lists (visionplay or inbox).
使用说明 (SKILL.md)

Usage (Telegram / Chat)

Use the slash command:

/clickup-task \x3Clist> "\x3Ctitle>" "\x3Cdescription>"

  • \x3Clist> must be: visionplay OR inbox
  • title is required
  • description is optional (use "" if you want blank)

Examples: /clickup-task visionplay "Follow up with Rahul" "Ask for proposal + timeline" /clickup-task inbox "Review tax doc" ""

What this skill does

It runs this script on the server:

/usr/local/bin/clickup_create_task.sh \x3Clist> "\x3Ctitle>" "\x3Cdescription>"

Execution instructions (for the agent)

When the user invokes this command:

  1. Parse list/title/description exactly.
  2. Run:

bash -lc '/usr/local/bin/clickup_create_task.sh "\x3Clist>" "\x3Ctitle>" "\x3Cdescription>"'

  1. Return ClickUp API response (or any error text) to the user.
安全使用建议
This skill appears to do what it says (create ClickUp tasks) and only asks for a ClickUp token and list IDs, but the actual work is delegated to a server script (/usr/local/bin/clickup_create_task.sh) that is not included for review. Before installing or enabling this skill: 1) inspect the script at /usr/local/bin/clickup_create_task.sh to confirm it only calls the ClickUp API and does not read or transmit other data; 2) ensure the agent will properly escape or validate user-supplied title/description to prevent shell injection; 3) use a ClickUp token with minimal scope (dedicated service account or limited permissions) in case the script is compromised; and 4) if you cannot review the script, consider rejecting or requesting the skill author provide the script source or embed the minimal HTTP-curl logic in the skill bundle for auditability.
功能分析
Type: OpenClaw Skill Name: clickup-task Version: 1.0.0 The skill bundle exhibits a critical shell injection vulnerability in SKILL.md, where user-provided inputs (list, title, description) are directly interpolated into a 'bash -lc' command string. Furthermore, the skill relies on an external script located at /usr/local/bin/clickup_create_task.sh which is not included in the bundle, preventing a full security audit of the execution logic. While these represent significant security risks, there is no clear evidence of intentional malice or data exfiltration.
能力评估
Purpose & Capability
Name and description align with required items: bash/curl and CLICKUP_TOKEN plus two ClickUp list IDs are expected for creating ClickUp tasks.
Instruction Scope
The SKILL.md tells the agent to execute /usr/local/bin/clickup_create_task.sh with user-provided arguments. The script itself is not included, so its behavior cannot be audited. The instructions also don't require explicit validation or escaping of user inputs (title/description), which creates a risk of shell/command injection or unexpected side effects from the underlying script.
Install Mechanism
This is instruction-only with no install spec (low install risk). However, it depends on a pre-existing binary at /usr/local/bin/clickup_create_task.sh that the bundle does not install or disclose, which is unusual and prevents review of what will actually run.
Credentials
Requested environment variables (CLICKUP_TOKEN and two CLICKUP_LIST_* IDs) are proportionate to the described task-creation use case. No unrelated secrets are requested.
Persistence & Privilege
always is false and the skill has no install/persistence behavior. It does allow normal autonomous invocation (platform default) but does not request elevated persistent privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install clickup-task
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /clickup-task 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of clickup-task skill. - Enables creation of tasks in specific ClickUp lists (visionplay or inbox) via slash command. - Accepts task title (required) and description (optional). - Executes a server-side script to submit tasks to ClickUp. - Returns the ClickUp API response or any error message to the user.
元数据
Slug clickup-task
版本 1.0.0
许可证 MIT-0
累计安装 1
当前安装数 1
历史版本数 1
常见问题

Clickup Task 是什么?

Create tasks in Vision Play ClickUp lists (visionplay or inbox). 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 113 次。

如何安装 Clickup Task?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install clickup-task」即可一键安装,无需额外配置。

Clickup Task 是免费的吗?

是的,Clickup Task 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Clickup Task 支持哪些平台?

Clickup Task 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Clickup Task?

由 VisionPlay303(@visionplay303)开发并维护,当前版本 v1.0.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论