ClawHub

YouTrack Project Management

v1.0.1

Interact with YouTrack project management system via REST API. Read projects and issues, create tasks, generate invoices from time tracking data, and manage knowledge base articles. Use for reading projects and work items, creating or updating issues, generating client invoices from time tracking, and working with knowledge base articles.

1· 1.8k·0 current·0 all-time
by@digisal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included code (youtrack_api.py and invoice_generator.py) align: the skill only targets YouTrack operations (projects, issues, work items, articles) and invoice generation from time tracking.
Instruction Scope
SKILL.md instructs the agent and user to use a YouTrack permanent token (YOUTRACK_TOKEN) and only describes YouTrack API calls and invoice generation. The runtime instructions do not request unrelated files, system settings, or external endpoints beyond the user's YouTrack instance.
Install Mechanism
No install spec is provided (instruction-only). Code files are included but nothing is downloaded or executed automatically by an installer. This is low-risk from an installation perspective.
!
Credentials
SKILL.md and the code clearly require an API token via YOUTRACK_TOKEN (or a --token argument), but the registry metadata lists no required environment variables and no primary credential. That mismatch is an incoherence: the skill will fail without a token and the metadata omission could mislead users into thinking no secrets are needed. Aside from that, requesting a single YouTrack token is proportionate to the described functionality.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It runs as a normal, user-invoked skill and has no elevated persistence privileges.
What to consider before installing
This skill's code and instructions look coherent for interacting with YouTrack and generating invoices, but the registry metadata incorrectly omits the required API token (YOUTRACK_TOKEN). Before installing or running: 1) Treat your YouTrack token as a secret — only provide a least-privilege token and preferably create a dedicated service account or token with minimal scope. 2) Verify the registry metadata is corrected (it should declare YOUTRACK_TOKEN as a required credential/primaryEnv). 3) Inspect the included scripts locally (they use only your-instance.youtrack.cloud and standard urllib) and run them in a sandbox or with a test token first. 4) Consider passing the token via CLI argument rather than exporting it into a long-lived environment variable if that fits your security policy. 5) Note minor code issues (e.g., a reference to urllib.parse.quote in get_issues may require an import) — treat these as implementation bugs rather than malicious behavior. If the metadata remains inconsistent or you cannot verify the source, avoid using real credentials with this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973y6tx9dw5r6djrsjp9x071h802w1c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments