ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jiraandconfluence Skill

v1.0.0

Automates retrieval and summary of Jira Cloud issues and Confluence Cloud pages using secure API tokens for improved workflow insights.

0· 422·0 current·1 all-time
bySamuel Porras@arkiant
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is Jira/Confluence API access using API tokens, which aligns with the included scripts. However registry metadata declares no required environment variables or binaries while the scripts clearly require JIRA_API_TOKEN, CONFLUENCE_API_TOKEN, and the presence of curl and jq. That mismatch (required secrets/binaries not declared) is disproportionate and inconsistent.
Instruction Scope
SKILL.md instructs storing API tokens in environment variables and running the provided reader scripts; the scripts only contact Atlassian domains (placeholders) and do not perform obvious data exfiltration to third parties. However the SKILL.md, example files, and script endpoints include inconsistent/incorrect API paths and authentication instructions (e.g., claiming either basic or bearer while scripts send 'Authorization: Basic ${TOKEN}' directly). The instructions are otherwise scoped to the stated purpose but contain inaccuracies that could cause misuse.
Install Mechanism
No install spec (instruction-only + local scripts) — lowest install risk. Nothing in the package downloads or executes remote code. This is the least risky install model.
!
Credentials
The skill legitimately needs two Atlassian tokens (JIRA_API_TOKEN and CONFLUENCE_API_TOKEN), which is proportionate. But those env vars are not declared in the skill metadata. Also the scripts export tokens into the environment (normal) but contain broken export syntax. Required binaries (curl, jq) are used but not declared. The missing metadata declarations make credential/permission requirements unclear.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges (always is false, it is user-invocable). It does not modify other skills or system configs. No persistence/privilege concerns identified.
Scan Findings in Context
[MISSING_ENV_DECLARATION] unexpected: Scripts require JIRA_API_TOKEN and CONFLUENCE_API_TOKEN, but the registry metadata lists no required environment variables. The mismatch is unexpected and should be fixed.
[MISSING_BINARY_DECLARATION] unexpected: scripts/jira_reader.sh and scripts/confluence_reader.sh call curl and pipe to jq, but required binaries are not declared in metadata. curl and jq are necessary for normal operation.
[BROKEN_SHELL_SYNTAX] unexpected: scripts/auth.sh contains malformed export lines (unbalanced quotes) and redundant checks; this is a bug that will cause script errors and indicates poor quality control.
[INCORRECT_AUTH_HEADER] unexpected: The reader scripts send 'Authorization: Basic ${TOKEN}' directly. Atlassian Cloud expects Basic auth to be 'Basic base64(email:api_token)' or Bearer for OAuth; simply placing a raw token after 'Basic' is incorrect and will fail or be misused.
[INCONSISTENT_API_PATHS] unexpected: SKILL.md lists operations like 'GET /api/v2/issues/{...}' and 'GET /wiki/rsl/{...}' which do not match Atlassian Cloud REST API paths used in scripts. This inconsistency suggests outdated or copy-pasted documentation.
What to consider before installing
This package seems intended to read Jira and Confluence using API tokens, but it has multiple problems you should resolve before trusting it: (1) Do not install from unknown sources without review — there is no homepage and the publisher identity is unknown. (2) Expect to provide JIRA_API_TOKEN and CONFLUENCE_API_TOKEN (the skill metadata fails to declare them) and ensure tokens have minimum necessary scope (read-only if possible). (3) The scripts require curl and jq; install those or update the metadata. (4) Fix bugs before use: scripts/auth.sh has broken export syntax and will error, and the Authorization header usage is incorrect for Atlassian Cloud (the token must be used properly, typically as Basic with base64-encoded email:token or via OAuth/bearer). (5) Replace placeholder domain (your-domain.atlassian.net) with your real domain and test the scripts in an isolated environment with a limited-scope token. (6) Prefer obtaining a skill from a verifiable source, or fork and correct the code locally; review and test changes before providing real credentials. If you want, I can suggest exact fixes for the auth flow and script issues.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bcnthc6g448jt18s9tc0a4h81q9t5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments