v1.0.1

YouTrack Project Management

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:55 AM.

Analysis

This appears to be a coherent YouTrack API helper, but it needs a permanent YouTrack token and can change YouTrack records when used.

GuidanceBefore installing, make sure you trust the included code and the publisher enough to give it a YouTrack token. Use a least-privileged token, verify the YouTrack instance URL, avoid passing tokens directly on the command line, and review generated invoices or create/update actions before using them with clients or live project data.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityLowConfidenceHighStatusNote

scripts/youtrack_api.py

return self._make_request('POST', '/api/issues', data)

The API client includes POST operations for creating or updating YouTrack issues and creating articles. These operations are consistent with the stated purpose, but they mutate project-management data.

User impactA mistaken or overly broad request could create or change YouTrack issues or knowledge-base articles.

RecommendationConfirm the target project, issue, title, and content before allowing write actions, and prefer a token limited to the projects and permissions needed.

Agentic Supply Chain Vulnerabilities

SeverityInfoConfidenceHighStatusNote

metadata

Source: unknown
Homepage: none

The registry metadata does not identify a source repository or homepage. This limits provenance, although the provided artifacts do include the full source and no install-time dependency chain.

User impactIt is harder to verify the publisher, maintenance history, or upstream project for this skill.

RecommendationReview the included scripts before use and prefer installing from a verified source if one becomes available.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

export YOUTRACK_TOKEN=your-permanent-token-here

The skill requires a permanent YouTrack API token. This is purpose-aligned for YouTrack access, but the registry metadata lists no primary credential or env var requirement, so users may not see the credential need until reading the instructions.

User impactThe token may allow reading project, issue, time-tracking, and knowledge-base data, and may allow writes depending on the user's YouTrack permissions.

RecommendationUse the least-privileged YouTrack token available, set it via environment or a secret manager rather than command-line arguments, verify the YouTrack URL before use, and rotate the token if exposed.