YouTrack Project Management
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent YouTrack API helper, but it needs a permanent YouTrack token and can change YouTrack records when used.
Before installing, make sure you trust the included code and the publisher enough to give it a YouTrack token. Use a least-privileged token, verify the YouTrack instance URL, avoid passing tokens directly on the command line, and review generated invoices or create/update actions before using them with clients or live project data.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The token may allow reading project, issue, time-tracking, and knowledge-base data, and may allow writes depending on the user's YouTrack permissions.
The skill requires a permanent YouTrack API token. This is purpose-aligned for YouTrack access, but the registry metadata lists no primary credential or env var requirement, so users may not see the credential need until reading the instructions.
export YOUTRACK_TOKEN=your-permanent-token-here
Use the least-privileged YouTrack token available, set it via environment or a secret manager rather than command-line arguments, verify the YouTrack URL before use, and rotate the token if exposed.
A mistaken or overly broad request could create or change YouTrack issues or knowledge-base articles.
The API client includes POST operations for creating or updating YouTrack issues and creating articles. These operations are consistent with the stated purpose, but they mutate project-management data.
return self._make_request('POST', '/api/issues', data)Confirm the target project, issue, title, and content before allowing write actions, and prefer a token limited to the projects and permissions needed.
It is harder to verify the publisher, maintenance history, or upstream project for this skill.
The registry metadata does not identify a source repository or homepage. This limits provenance, although the provided artifacts do include the full source and no install-time dependency chain.
Source: unknown Homepage: none
Review the included scripts before use and prefer installing from a verified source if one becomes available.