Yandex Tracker CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a normal Yandex Tracker command-line skill, but it can use your OAuth token to change or delete Tracker items.
Install this only if you want the agent to manage Yandex Tracker on your behalf. Use a limited OAuth token if possible, protect any local credential file, and review/confirm destructive or file-upload commands before letting the agent run them.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the token is exposed or over-permissioned, the agent or anyone with the token could access or modify Tracker data allowed by that token.
The script authenticates API calls with the user's OAuth token; this is expected for a Yandex Tracker CLI, but it means the skill acts with the token's Tracker permissions.
AUTH="Authorization: OAuth $TOKEN"
Use the least-privileged Tracker token available, keep TOKEN out of shared logs/shell history, and protect ~/.yandex-tracker-env with restrictive permissions if you use it.
The skill can create, update, transition, close, comment on, or delete Tracker items in your organization.
The documented command set includes direct mutation and deletion operations against Yandex Tracker. These are disclosed and purpose-aligned, but high-impact if invoked by an agent without user review.
`issue-delete <issue-id>` | Удалить задачу ... `issue-comment-delete <issue-id> <comment-id>` | Удалить комментарий ... `issue-transition <issue-id> <transition-id>` | Выполнить переход статуса
Require explicit user confirmation before running delete, update, transition, close, worklog, or comment-edit commands, especially on production/business trackers.
A file chosen for attachment upload will be shared into the referenced Tracker issue.
Attachment upload sends a selected local file to Yandex Tracker. This matches the attachment feature and the code includes path checks, but users should still verify the selected file.
curl -sS -X POST -H "$AUTH" -H "$ORG" \
-F "file=@$filepath;filename=$file_name"Check issue IDs and file paths before upload, and use a dedicated attachment directory for files that are safe to share.