ClawHub

Atlassian Jira by altf1be

ReviewAudited by ClawScan on May 10, 2026.

Overview

This is a coherent Jira Cloud integration, but it needs a Jira API token and can change Jira issues, comments, attachments, and workflow state when invoked.

Install only if you are comfortable giving the agent Jira API-token access. Use a dedicated low-privilege Jira account where possible, confirm the Jira host, keep the token out of shared files, and ask the agent to get explicit approval before making Jira changes. The supplied script excerpt was truncated, so review the full script from the trusted source if you need higher assurance.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

If the agent is allowed to use the skill, it can make visible changes in Jira under the configured account's permissions.

Why it was flagged

These commands can mutate Jira issues, comments, attachments, and workflow state. This is disclosed and central to the skill, but it is still high-impact business-data authority.

Skill content
Commands include create, update, delete --confirm, comment-add, attachment-add --file, and transition --transition-id.
Recommendation

Use a least-privileged Jira account or token, restrict Jira project permissions where possible, and require explicit user confirmation before write, delete, attachment, or transition actions.

Medium
#ASI03: Identity and Privilege Abuse
What this means

Anyone or any agent process with these environment variables can act in Jira with the configured account's permissions.

Why it was flagged

The script reads Jira credentials from environment variables and sends them as Basic Auth to the configured Jira API endpoint, which is expected but grants account-level Jira authority.

Skill content
const host = process.env.JIRA_HOST; const email = process.env.JIRA_EMAIL; const apiToken = process.env.JIRA_API_TOKEN; ... return `Basic ${token}`; ... fetch(url, { ...options, headers });
Recommendation

Store the token securely, verify JIRA_HOST points to the intended Atlassian site, avoid sharing the .env file, and rotate the token if it may have been exposed.