Skillv1.0.0

ClawScan security

atlassian-admin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 11, 2026, 3:43 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and instructions match an Atlassian admin role, but it omits any declared credentials or environment requirements needed to actually call Atlassian APIs, which is an incoherence you should review before installing.
Guidance: This package looks like a legitimate Atlassian admin playbook with a local permission-audit tool, but it has a key omission: it documents REST API usage extensively but does not declare the credentials or environment variables needed to call those APIs. Before installing or enabling this skill: 1) Ask the publisher (or inspect SKILL.md) how authentication is expected to be supplied (API token, OAuth 3LO, service account + SCIM credentials) and ensure those secrets will be stored securely (not hard-coded or in plain files). 2) Verify the source/owner — there is no homepage and the publisher identity is unknown; prefer skills from known authors. 3) Review the included Python script (scripts/permission_audit_tool.py) locally to confirm it does not make network calls to unknown endpoints and to understand what input it expects (it appears to operate on local permissions JSON). 4) Test the skill in a non-production sandbox/org with least-privilege credentials before running in production. 5) If you plan to allow autonomous invocation, be cautious: an admin-capable skill could perform wide-impact actions if given admin credentials, so restrict credentials to service accounts and audit activity.

Review Dimensions

Purpose & Capability: noteThe name, SKILL.md, included policy/templates, and a permission-audit script all align with an Atlassian administrator capability; the assets and Python tool are reasonable for that purpose. However, the skill documents many REST API calls and admin actions that require authenticated access yet declares no primary credential or required environment variables, which is an omission.
Instruction Scope: noteSKILL.md contains explicit step-by-step admin workflows and specific REST endpoints (e.g., /rest/api/3/user, /rest/plugins/1.0/) and verification steps — all within the stated admin scope. It does not instruct reading unrelated system files or exfiltrating data, but it also does not explain how to authenticate or where credentials come from (no guidance on tokens, OAuth, or orgId handling).
Install Mechanism: okNo install specification — instruction-only with included documentation and one local Python script. That is low-risk from an install perspective because nothing will be downloaded or executed automatically during install. The included script is local and visible for review.
Credentials: concernThe skill performs operations that require admin-level API access, but requires.env and primary credential fields are empty. The skill should have declared required credentials (e.g., Atlassian admin API token, orgId, or OAuth client credentials). The omission is disproportionate to the declared metadata and could indicate either sloppy packaging or that the skill expects the environment to supply sensitive credentials implicitly — clarify before use.
Persistence & Privilege: okalways:false and default autonomy settings are normal. The skill does not request persistent system privileges or claim to modify other skills' configurations in the provided files.