ClawHub

Redmine Issue

v1.0.0

Read Redmine issues from any Redmine server via REST API with configurable URL and credentials. Use when you need to fetch a single issue, list/filter issues...

0· 577·2 current·2 all-time
byKen Chen@guoway
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The script implements get, list, and update operations against a configurable REDMINE_URL and uses either REDMINE_API_KEY or REDMINE_USERNAME+REDMINE_PASSWORD for auth, which aligns with the stated purpose. However, the registry metadata claims no required env vars/credentials while the SKILL.md and scripts clearly require REDMINE_URL and auth credentials — this inconsistency is unexpected and should be corrected.
Instruction Scope
SKILL.md instructs running the included Node script and the script's runtime behavior stays within the Redmine API (no other network endpoints, files, or system paths are accessed). Note: the script performs write operations (update) if invoked, and it prints full API responses (including attachments/journals/watchers) to stdout, which may disclose sensitive information.
Install Mechanism
There is no install spec (instruction-only with an included script), so nothing is downloaded or installed automatically. The script expects a Node environment with global fetch (Node 18+), which is a reasonable runtime requirement but should be confirmed.
!
Credentials
The skill requires REDMINE_URL and either REDMINE_API_KEY or REDMINE_USERNAME+REDMINE_PASSWORD (as documented in SKILL.md and used by the script), but the registry metadata does not declare these required environment variables or a primary credential — this mismatch is a red flag. Also, accepting username/password is higher privilege than an API key; if you only need read access, prefer a scoped read-only API key. The script's ability to update issues means credentials grant modification rights and should be provisioned minimally.
Persistence & Privilege
always is false and the skill does not modify other skills or system-wide settings. It runs as an on-demand tool and does not request persistent elevated privileges.
What to consider before installing
This skill appears to be a straightforward Redmine REST client, but before installing: (1) note the registry metadata does not declare the required REDMINE_URL and credentials — ask the publisher to fix this; (2) only provide a least-privilege API key (prefer read-only if you don't need updates); avoid supplying account username/password unless necessary; (3) be aware the tool can perform updates and prints full API responses (which may include attachments or sensitive text) to stdout — avoid running it where logs are captured by untrusted systems; (4) confirm the runtime provides Node 18+ (global fetch) or the script may fail; (5) because the skill's source/owner is unknown, verify the code yourself or obtain it from a trusted source before granting credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cvmhbgvfhd9asyrf596gew981h1ak

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments