ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

atlassian-admin

v1.0.0

Atlassian Administrator for managing and organizing Atlassian products (Jira, Confluence, Bitbucket, Trello), users, permissions, security, integrations, sys...

0· 223·3 current·3 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, SKILL.md, included policy/templates, and a permission-audit script all align with an Atlassian administrator capability; the assets and Python tool are reasonable for that purpose. However, the skill documents many REST API calls and admin actions that require authenticated access yet declares no primary credential or required environment variables, which is an omission.
Instruction Scope
SKILL.md contains explicit step-by-step admin workflows and specific REST endpoints (e.g., /rest/api/3/user, /rest/plugins/1.0/) and verification steps — all within the stated admin scope. It does not instruct reading unrelated system files or exfiltrating data, but it also does not explain how to authenticate or where credentials come from (no guidance on tokens, OAuth, or orgId handling).
Install Mechanism
No install specification — instruction-only with included documentation and one local Python script. That is low-risk from an install perspective because nothing will be downloaded or executed automatically during install. The included script is local and visible for review.
!
Credentials
The skill performs operations that require admin-level API access, but requires.env and primary credential fields are empty. The skill should have declared required credentials (e.g., Atlassian admin API token, orgId, or OAuth client credentials). The omission is disproportionate to the declared metadata and could indicate either sloppy packaging or that the skill expects the environment to supply sensitive credentials implicitly — clarify before use.
Persistence & Privilege
always:false and default autonomy settings are normal. The skill does not request persistent system privileges or claim to modify other skills' configurations in the provided files.
What to consider before installing
This package looks like a legitimate Atlassian admin playbook with a local permission-audit tool, but it has a key omission: it documents REST API usage extensively but does not declare the credentials or environment variables needed to call those APIs. Before installing or enabling this skill: 1) Ask the publisher (or inspect SKILL.md) how authentication is expected to be supplied (API token, OAuth 3LO, service account + SCIM credentials) and ensure those secrets will be stored securely (not hard-coded or in plain files). 2) Verify the source/owner — there is no homepage and the publisher identity is unknown; prefer skills from known authors. 3) Review the included Python script (scripts/permission_audit_tool.py) locally to confirm it does not make network calls to unknown endpoints and to understand what input it expects (it appears to operate on local permissions JSON). 4) Test the skill in a non-production sandbox/org with least-privilege credentials before running in production. 5) If you plan to allow autonomous invocation, be cautious: an admin-capable skill could perform wide-impact actions if given admin credentials, so restrict credentials to service accounts and audit activity.

Like a lobster shell, security has layers — review code before you run it.

latestvk97feq0pxqwr38x8zy06py7xrn82q8qg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments