Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Atlassian Jira by altf1be
v1.1.3Atlassian Jira Cloud CRUD skill — manage issues, comments, attachments, workflow transitions, and JQL search via Jira REST API v3 with email + API token auth.
⭐ 1· 257·0 current·0 all-time
byAbdelkrim from Brussels@abdelkrim
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Jira Cloud CRUD) align with the requested env vars (JIRA_HOST, JIRA_EMAIL, JIRA_API_TOKEN) and the included CLI code. The declared dependencies (commander, dotenv) and package.json are appropriate for a Node.js CLI. Nothing requested appears unrelated to Jira functionality.
Instruction Scope
SKILL.md instructs installing deps and running the included scripts with explicit commands. The runtime instructions and commands focus on issue/comment/attachment/transition operations and reference only the Jira host and credentials. No instructions ask the agent to read unrelated files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only) beyond recommending 'npm install' in the repo, and package-lock.json points to official npm registry packages. No remote downloads from arbitrary URLs or archive extraction are present. Risk from install mechanism is low.
Credentials
Required environment variables are limited to the Jira host, email, and API token — appropriate and proportional for authenticating to Jira Cloud. Optional env vars (default project, max results, max file size) are reasonable. The code only reads these Jira-specific env vars (via dotenv).
Persistence & Privilege
The skill is not forced-always; it is user-invocable and allows autonomous invocation per platform defaults (no elevated 'always: true'). The skill does not modify other skills or system-wide settings. It writes/reads only user-specified attachments and expected local .env files.
Assessment
This skill appears to do what it says: a Jira Cloud CLI that uses Basic auth (email + API token). Before installing, consider: (1) Store the API token securely — a .env file contains credentials and should not be committed to source control. (2) Inspect and run the script locally in a trusted environment (it uses Node >=18 and standard npm deps). (3) Deletes require an explicit --confirm flag, but exercise caution when granting any tool access to your Jira instance. (4) If you install on a machine accessible to others or automated agents, treat the JIRA_API_TOKEN as sensitive and rotate it if compromised. If you want extra assurance, review the full scripts/jira.mjs file locally (it currently reads only the declared env vars and contacts the Jira host you provide).scripts/jira.mjs:27
Environment variable access combined with network send.
scripts/jira.mjs:13
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970cdp2q7h1rttj4jkc1hq6k1831a51
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🎫 Clawdis
EnvJIRA_HOST, JIRA_EMAIL, JIRA_API_TOKEN
Primary envJIRA_HOST