Clawhub Jira Pat Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can access Jira as allowed by the PAT, including reading and changing issues if the token has those permissions.
The skill relies on a Jira Personal Access Token, so actions taken through the skill inherit the permissions granted to that token.
Create a new token with appropriate permissions ... Store it in environment variable `JIRA_PAT`
Use a least-privilege PAT, keep it out of logs and shared shells, and revoke or rotate it if it is no longer needed.
If used incorrectly, the agent could comment on, transition, update, or create Jira issues in an enterprise project.
The skill documents Jira API write operations that can change issue state, fields, comments, or create new issues. This is aligned with the stated purpose but is higher impact than read-only access.
### Transition (Change Status) ... curl -s -X POST ... ### Update Issue Fields ... curl -s -X PUT ... ### Create an Issue
Require user confirmation for write operations and verify the issue key, transition ID, and payload before running POST or PUT commands.
A user relying only on metadata may not realize the skill needs a Jira token and local command-line tools until they read the skill instructions.
The supplied metadata does not declare the actual runtime requirements and credential use that SKILL.md and scripts/jira-pat.sh disclose: JIRA_PAT, JIRA_URL, curl, and jq.
Required binaries (all must exist): none ... Required env vars: none ... Primary credential: none
Update metadata to declare JIRA_PAT, JIRA_URL, curl, and jq so users and platforms can assess requirements before installation.