clickup
Automates task management and project workflows in ClickUp using its API for enhanced productivity and integration.
Install this skill
Security score
The clickup skill was audited on May 15, 2026 and we found 47 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 49 | const res = await fetch(`${BASE}${path}`, { |
Template literal with variable interpolation in command context
| 54 | if (!res.ok) throw new Error(`${res.status}: ${await res.text()}`); |
Template literal with variable interpolation in command context
| 59 | For OAuth2 (multi-user), redirect to `https://app.clickup.com/api?client_id=${CLIENT_ID}&redirect_uri=${REDIRECT_URI}`, then exchange the code at `POST /api/v2/oauth/token`. |
Template literal with variable interpolation in command context
| 70 | const spaces = await clickup("GET", `/team/${teamId}/space?archived=false`); |
Template literal with variable interpolation in command context
| 73 | const folder = await clickup("POST", `/space/${spaceId}/folder`, { name: "Q1 2026 Roadmap" }); |
Template literal with variable interpolation in command context
| 74 | const list = await clickup("POST", `/folder/${folderId}/list`, { |
Template literal with variable interpolation in command context
| 83 | const task = await clickup("POST", `/list/${listId}/task`, { |
Template literal with variable interpolation in command context
| 93 | `/list/${listId}/task?archived=false&order_by=due_date&statuses[]=in+progress&subtasks=true`); |
Template literal with variable interpolation in command context
| 96 | await clickup("PUT", `/task/${taskId}`, { |
Template literal with variable interpolation in command context
| 102 | await clickup("POST", `/list/${listId}/task`, { name: "Write tests", parent: parentTaskId }); |
Template literal with variable interpolation in command context
| 103 | await clickup("POST", `/task/${taskId}/comment`, { comment_text: "Blocked by auth outage." }); |
Template literal with variable interpolation in command context
| 104 | await clickup("POST", `/task/${taskId}/dependency`, { depends_on: blockingTaskId }); |
Template literal with variable interpolation in command context
| 111 | const fields = await clickup("GET", `/list/${listId}/field`); |
Template literal with variable interpolation in command context
| 114 | await clickup("POST", `/task/${taskId}/field/${fieldId}`, { value: "option_uuid" }); |
Template literal with variable interpolation in command context
| 115 | await clickup("POST", `/task/${taskId}/field/${numberFieldId}`, { value: 42 }); |
Template literal with variable interpolation in command context
| 118 | await clickup("POST", `/task/${taskId}/time`, { |
Template literal with variable interpolation in command context
| 125 | `/team/${teamId}/time_entries?start_date=${Date.now() - 7 * 86400000}&end_date=${Date.now()}`); |
Template literal with variable interpolation in command context
| 132 | const goal = await clickup("POST", `/team/${teamId}/goal`, { |
Template literal with variable interpolation in command context
| 135 | await clickup("POST", `/goal/${goalId}/key_result`, { |
Template literal with variable interpolation in command context
| 140 | const webhook = await clickup("POST", `/team/${teamId}/webhook`, { |
Template literal with variable interpolation in command context
| 157 | await clickup("PUT", `/task/${task_id}`, { assignees: { add: [reviewerUserId] } }); |
Template literal with variable interpolation in command context
| 180 | ```yaml |
Curl to non-GitHub URL
| 39 | curl -s https://api.clickup.com/api/v2/user \ |
Curl to non-GitHub URL
| 184 | curl -X POST "https://api.clickup.com/api/v2/list/${{ secrets.CLICKUP_BUG_LIST_ID }}/task" \ |
Webhook reference - potential data exfiltration
| 5 | lists, and spaces via the ClickUp API, build automations and webhooks, create |
Webhook reference - potential data exfiltration
| 9 | webhooks, custom fields, automations, and reporting. |
Webhook reference - potential data exfiltration
| 28 | Automate and extend ClickUp — the all-in-one productivity platform. This skill covers the full ClickUp API v2 for managing workspaces, spaces, folders, lists, and tasks programmatically. Includes webh |
Webhook reference - potential data exfiltration
| 128 | ### Step 5: Goals & Webhooks |
Webhook reference - potential data exfiltration
| 139 | // Create a webhook |
Webhook reference - potential data exfiltration
| 140 | const webhook = await clickup("POST", `/team/${teamId}/webhook`, { |
Webhook reference - potential data exfiltration
| 141 | endpoint: "https://your-server.com/clickup/webhook", |
Webhook reference - potential data exfiltration
| 146 | **Webhook handler** (Express): |
Webhook reference - potential data exfiltration
| 148 | app.post("/clickup/webhook", async (req, res) => { |
Webhook reference - potential data exfiltration
| 150 | const hmac = crypto.createHmac("sha256", process.env.CLICKUP_WEBHOOK_SECRET!); |
Webhook reference - potential data exfiltration
| 172 | await fetch(process.env.SLACK_WEBHOOK_URL!, { |
Webhook reference - potential data exfiltration
| 200 | **User prompt:** "Create a webhook that watches for urgent tasks in the Bug Triage list and notifies #oncall in Slack with the task name and assignee. Also set up a GitHub Actions step that auto-creat |
Webhook reference - potential data exfiltration
| 202 | The agent will create a ClickUp webhook scoped to the Bug Triage list listening for `taskPriorityUpdated` events. It will write an Express webhook handler that verifies the signature, checks if the ne |
Webhook reference - potential data exfiltration
| 209 | - **Scope webhooks narrowly** — use the optional `space_id`, `folder_id`, or `list_id` parameters when creating webhooks to avoid processing irrelevant events from the entire workspace. |
Webhook reference - potential data exfiltration
| 210 | - **Validate webhook signatures** — always verify the `x-signature` header using HMAC-SHA256 with your webhook secret before processing any payload to prevent spoofed requests. |
Access to .env file
| 46 | const TOKEN = process.env.CLICKUP_API_TOKEN; |
Access to .env file
| 150 | const hmac = crypto.createHmac("sha256", process.env.CLICKUP_WEBHOOK_SECRET!); |
Access to .env file
| 172 | await fetch(process.env.SLACK_WEBHOOK_URL!, { |
External URL reference
| 39 | curl -s https://api.clickup.com/api/v2/user \ |
External URL reference
| 45 | const BASE = "https://api.clickup.com/api/v2"; |
External URL reference
| 59 | For OAuth2 (multi-user), redirect to `https://app.clickup.com/api?client_id=${CLIENT_ID}&redirect_uri=${REDIRECT_URI}`, then exchange the code at `POST /api/v2/oauth/token`. |
External URL reference
| 141 | endpoint: "https://your-server.com/clickup/webhook", |
External URL reference
| 184 | curl -X POST "https://api.clickup.com/api/v2/list/${{ secrets.CLICKUP_BUG_LIST_ID }}/task" \ |