ClawHub

Jira Task Manager

Security checks across malware telemetry and agentic risk

Overview

This Jira automation skill appears to include hidden shared Jira credentials and broad local code-execution capabilities that need human review before installation.

Do not install this version without manual review. The publisher should remove and rotate any embedded Jira tokens, require explicit user-provided credentials, document all Jira and repository actions, and add clear confirmation before file edits, branch changes, issue transitions, comments, or local test execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (27)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
start = time.time()
    try:
        result = subprocess.run(
            cmd,
            cwd=repo_path,
            capture_output=True,
Confidence
89% confidence
Finding
result = subprocess.run( cmd, cwd=repo_path, capture_output=True, text=True, timeout=timeout, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares access to environment variables and relies on shell-executed scripts, but does not explicitly declare permissions or warn about those capabilities. This weakens reviewability and least-privilege controls, making it easier for an operator to invoke a skill that can access secrets and run local commands without clear authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose frames the skill as Jira automation, but the described behavior extends into repository discovery, local workspace scanning, code modification, and test execution. That mismatch can cause users or calling systems to grant trust or invoke the skill for low-risk ticket operations when it actually has materially broader and riskier execution behavior.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation presents the skill as Jira automation, yet the workflow includes synchronizing repositories, editing source files, and running tests. This creates a security-significant documentation gap: a user may invoke the skill expecting issue tracking actions while unintentionally authorizing local code changes and command execution.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to implement code changes in repositories as part of a Jira task flow, expanding from ticket management into direct software modification. That broad capability increases the risk of unintended or unsafe changes, especially when triggered from natural-language requests that may not clearly convey authorization for repo writes.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The opening text claims common Jira operations, but later steps direct repository edits and test execution. This inconsistency undermines informed consent and increases the chance that higher-risk behavior is hidden behind a lower-risk description.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The file discloses a specific Google Drive folder ID and its operational purpose, which expands the accessible resource surface beyond Jira and gives an attacker useful reconnaissance about where templates, attachments, and related project materials are stored. In the context of an automation skill, this kind of cross-system reference can enable unauthorized access attempts, phishing, or abuse of any agent capabilities that can reach linked resources.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains hardcoded default Jira credentials, including what appears to be a live API token, which can enable unauthorized access to the Jira tenant if the code is exposed or reused. In a skill that can execute Jira actions end-to-end, embedded credentials significantly increase risk because they allow silent authentication without explicit user provisioning or approval.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains hardcoded Jira credentials, including what appears to be a live API token fallback, directly in source code. Embedding secrets in a skill that can be distributed, inspected, or reused exposes the Jira tenant to unauthorized access and makes secret rotation and audit control difficult.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds real-looking fallback Jira credentials directly in source code, including an API token. Hardcoded secrets are highly dangerous because anyone with access to the code can reuse them to access the Jira tenant, and fallback behavior means the secret may be used even when no environment is configured.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This function explicitly runs repository-defined test commands, including custom commands from configuration, which allows arbitrary local code execution through repository metadata and test tooling. That behavior is not necessary for basic Jira task management and materially expands the skill's attack surface into code execution on the agent machine.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file adds local repository test execution to a skill described as Jira automation, creating a capability mismatch that can surprise users and downstream systems about what the skill is allowed to do. In security terms, this hidden expansion of scope increases the chance that the skill will be invoked in contexts where executing untrusted local code is unsafe.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes a Jira email address and API token directly in source code, which exposes reusable credentials to anyone with repository or package access. In the context of a Jira automation skill, this is especially dangerous because the credential enables authenticated remote actions against the organization's Jira instance, including reading or modifying issues depending on token scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script contains default Jira credentials, including what appears to be a live API token, directly in source code. Hardcoded secrets are dangerous because anyone with access to the skill can reuse them to authenticate to Jira, modify issues, access project data, and potentially pivot into broader organizational workflows.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Broad trigger phrases such as 'Jira task' or 'work on issue' can cause accidental or overly eager invocation of a skill that can access Jira, sync repositories, and modify code. When a skill has side effects, ambiguous activation language materially raises the chance of unintended execution.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases 'work on DS-XXX', 'fix DS-XXX', and 'pick up DS-XXX' are ambiguous and tied to an end-to-end flow that can sync repos, edit files, and run tests. Because these are natural conversational phrases, the skill may activate in contexts where the user did not intend to authorize repository actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The end-to-end workflow lacks a prominent warning that it will modify repository files and execute tests locally. Without clear notice up front, users may approve the workflow based on a Jira-management mental model and inadvertently permit broader, potentially destructive local operations.

Missing User Warnings

High
Confidence
99% confidence
Finding
The markdown contains live-looking Jira credentials, including an email address and a full API token, which is a direct secret exposure. If valid, these credentials could allow unauthorized access to Jira data and administrative actions such as reading issues, creating or modifying tickets, commenting, transitioning workflows, and potentially pivoting into broader project operations.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This script automatically authenticates to Jira and sends issue keys, comment bodies, and retrieves existing comments from an external SaaS endpoint without any user disclosure, confirmation, or data-classification guardrails. In an agent skill context, that increases the risk of silently transmitting sensitive repository, task, or internal operational data to Jira when a user may not expect external disclosure.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file contains hardcoded Jira URL, email, and especially a live-looking API token fallback embedded directly in source. Hardcoded credentials can be extracted by anyone with code access, reused outside intended workflows, and may grant unauthorized access to Jira data and actions.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The code accesses sensitive credentials and makes outbound authenticated requests to Jira without any explicit disclosure, consent flow, or user-visible notice. While this is not as severe as the hardcoded secret itself, it reduces transparency and can enable unexpected data access in an agent context where users may not realize external systems are being queried with privileged credentials.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script silently uses embedded credentials to authenticate to an external Jira instance, so anyone running the skill may trigger authenticated API access without understanding that privileged credentials are being used. In the context of a Jira automation skill, this is especially dangerous because it normalizes hidden external actions against a production project and can expose or misuse project data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This script reads Jira credentials and makes authenticated requests automatically, with no consent prompt, disclosure, or execution guard. In the context of an agent skill that can be triggered by natural-language task requests, that creates a meaningful risk of silent access to organizational data under a real user identity.

Natural-Language Policy Violations

Medium
Confidence
99% confidence
Finding
The code hard-codes a specific email address as the default Jira identity, which can cause actions and data access to occur under an unintended account. In an automation skill, this increases the chance of unauthorized or surprising access, attribution errors, and privacy violations if the environment is misconfigured or unset.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code uses sensitive Jira credentials silently, with no disclosure that authenticated actions will be performed using a stored account. This reduces user awareness and makes it easier for the skill to operate with hidden privileges, which is risky in an automation context where users may assume actions occur under their own identity or only after explicit consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal