clickup-security-basics
Enhances ClickUp security by managing API tokens, implementing least-privilege access, and auditing usage effectively.
Install this skill
Security score
The clickup-security-basics skill was audited on May 18, 2026 and we found 17 security issues across 4 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 93 | return `https://app.clickup.com/api?${params}`; |
Template literal with variable interpolation in command context
| 109 | if (!token) throw new Error(`Missing ${tokenKey} for environment: ${env}`); |
Template literal with variable interpolation in command context
| 137 | const response = await fetch(`https://api.clickup.com/api/v2${path}`, { |
Curl to non-GitHub URL
| 71 | curl -sf https://api.clickup.com/api/v2/user \ |
Webhook reference - potential data exfiltration
| 165 | - [ ] Webhook endpoints use HTTPS only |
Access to .env file
| 42 | # .env (NEVER commit) |
Access to .env file
| 46 | .env |
Access to .env file
| 47 | .env.local |
Access to .env file
| 48 | .env.*.local |
Access to .env file
| 90 | client_id: process.env.CLICKUP_CLIENT_ID!, |
Access to .env file
| 91 | redirect_uri: process.env.CLICKUP_REDIRECT_URI!, |
Access to .env file
| 101 | const env = process.env.NODE_ENV ?? 'development'; |
Access to .env file
| 108 | const token = process.env[tokenKey]; |
Access to .env file
| 159 | - [ ] `.env` files listed in `.gitignore` |
External URL reference
| 71 | curl -sf https://api.clickup.com/api/v2/user \ |
External URL reference
| 93 | return `https://app.clickup.com/api?${params}`; |
External URL reference
| 137 | const response = await fetch(`https://api.clickup.com/api/v2${path}`, { |