Skillv1.0.0

ClawScan security

atlassian-templates · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 3:43 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent: it provides Confluence/Jira template guidance and a local Python scaffolder, and it does not request credentials, install external code, or perform unexpected actions.
Guidance: This skill appears to do what it says: generate and document Confluence/Jira templates. Before installing or running: (1) review the included Python script locally to confirm it matches your policies (it appears to use only standard libs and only generates markup); (2) understand that publishing templates into Confluence/Jira requires admin credentials and appropriate permissions — the skill does not store or request those credentials, so publishing will need to be done through your normal admin workflows or by providing credentials separately; (3) if you plan to run runbook templates that include command snippets, ensure those commands are vetted and only executed in safe environments; (4) test template deployment in a sandbox Confluence space first to verify rendering and macro behavior.

Review Dimensions

Purpose & Capability: noteThe name/description match the provided artifacts: SKILL.md contains template libraries, governance guidance, and deployment workflow text, and scripts/template_scaffolder.py generates Confluence/Jira template XHTML. One small mismatch: the runtime docs reference publishing via 'MCP' (an admin deployment step) but the skill declares no credentials or environment variables for deployment — publishing into Confluence will require admin access in practice, which the skill doesn't declare or manage.
Instruction Scope: okThe SKILL.md instructions and the included script remain within the stated domain (designing, generating, and managing templates). There are no instructions to read arbitrary system files, harvest environment variables, or exfiltrate data. The scaffolder only produces markup strings and writes no external network calls in the provided code.
Install Mechanism: noteThis is an instruction-only skill with a bundled Python script; no install spec or remote downloads are present. The included script appears to use only Python standard libraries. Because no install step is declared, users should ensure a compatible Python runtime is available before running the script locally.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. Given its purpose (template generation and guidance) this is proportionate. Be aware that actual publishing to Confluence/Jira will require Atlassian credentials that this skill does not request or manage.
Persistence & Privilege: okThe skill does not request always:true or any elevated/persistent presence. It does not modify other skills or global agent configurations. Autonomous invocation is allowed by default but is not combined with any broad credential access or suspicious behavior here.