Jira Task Manager

This skill appears to implement Jira and local-repo automation, but there are red flags you should consider before installing: - Hard-coded credentials: The package contains a plaintext JIRA_API_TOKEN and JIRA_EMAIL in references/jira.md and as default values inside many scripts. Do NOT assume those are safe or inert — they may be valid and could expose someone else's account or allow the skill to act without your consent. Ask the publisher to remove embedded secrets and rely only on environment-provided credentials. - Local filesystem and command execution: The scripts scan your workspace, run git commands, and execute repo test commands (subprocess.run). Only install/use this skill in an environment you trust. Prefer running it in an isolated development VM or container if you want to test. - Confirm intended behavior: The SKILL.md says it will wait for user approval before pushing/merging or transitioning issues, but the scripts can perform transitions and updates via the Jira API. Verify the agent's runtime prompts actually occur and that it will not perform irreversible operations without explicit consent. - Remove or rotate exposed credentials: If you control the Jira account referenced, rotate the API token immediately. If you do not, consider the embedded token evidence of sloppy packaging and avoid installing until it's removed. - Verify repository mappings: references/repos.json contains absolute /Users/a/... paths. Ensure these mappings won't point to sensitive paths on your machine, or update them before running. If you need a safer alternative, ask the publisher to produce a version with no embedded secrets, relative repo-paths or a configurable workspace, and explicit checks that require interactive approval before any write/transition operations.