Epragma Redmine Issue
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill talks to the configured Redmine server, but it is advertised mainly as read-only while also allowing issue and time-entry changes using an under-declared API key.
Install this only if you are comfortable giving the skill a Redmine API key that can perform the documented write actions. Prefer a least-privilege Redmine account or API key, verify the configured URL, and treat the skill as capable of modifying project data rather than read-only.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may change Redmine work items or logged time, not just read them.
The same artifact frames the skill as reading Redmine issues but later documents write actions. A user or agent expecting read-only behavior could grant more authority than intended.
description: Read Redmine issues ... ## Update one issue ... ## Add comment to issue ... ## Create new issue ... ## Time Entries ... time-add
Update the description and metadata to clearly disclose write capabilities, or split read-only and write-capable functions into separate skills.
An agent invoking these commands could alter shared project records, assignments, statuses, comments, or time entries.
The code exposes state-changing Redmine API calls for issue updates, issue creation, comments, and time-entry creation without artifact-backed confirmation or scoping safeguards.
return request(`/issues/${id}.json`, { method: 'PUT' ... }); ... return request('/issues.json', { method: 'POST' ... }); ... return request('/time_entries.json', { method: 'POST' ... });Require explicit user confirmation for write operations, document the exact allowed actions, and consider using a least-privilege Redmine API key.
The skill can act with the permissions of the configured Redmine API key, and the undeclared fallback can make it unclear which credential is being used.
The skill reads an API key from environment variables and sends it as an authentication header, including an undeclared REDMINE_BASE_URL fallback. Registry metadata says no credentials or env vars are required.
const API_KEY = process.env.REDMINE_API_KEY || process.env.REDMINE_BASE_URL || ''; ... 'X-Redmine-API-Key': apiKey
Declare REDMINE_URL and REDMINE_API_KEY in metadata, remove or clearly document the REDMINE_BASE_URL fallback, and advise users to provide a narrowly scoped API key.
The bundled memory note could lead to confusing credential setup, though no secret user data is present in the artifact.
The skill ships a persistent memory-style note with configuration guidance, including behavior not clearly described in SKILL.md. It does not contain secrets, but it may influence how the agent configures credentials.
Updated `issues.mjs` to support swapped env vars: - `REDMINE_API_KEY` can contain the URL - `REDMINE_BASE_URL` can contain the API key
Move intended configuration behavior into SKILL.md and remove development memory files that are not needed at runtime.