Redmine Issue
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is advertised mainly as read-only Redmine access, but the included script can update Redmine issues using your credentials.
Review this skill as a Redmine read/write tool, not just a reader. Install it only if you are comfortable giving it Redmine credentials, and configure a trusted REDMINE_URL with a least-privilege API key. Require manual confirmation before running any update command.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change issue status, assignee, priority, subject, description, progress, or notes in Redmine, not just read issues.
The script exposes a write operation that can modify Redmine issue fields. This is materially broader than the read/fetch/list purpose described in the skill summary, and the artifacts do not show an approval or confirmation guard before writes.
issues.mjs update --id <issueId> ... [--notes <text>] ... await requestJson(`/issues/${encodeURIComponent(id)}.json`, { method: "PUT", body: { issue } });Treat this as a read/write Redmine skill. Use a least-privilege API key and require explicit user approval before any update command is run.
The skill can access Redmine data and perform any supported actions allowed by the supplied credential.
The script uses Redmine API credentials or Basic Auth credentials from environment variables. This is expected for Redmine API access, but it grants whatever account permissions those credentials have.
const REDMINE_API_KEY = process.env.REDMINE_API_KEY; ... headers["X-Redmine-API-Key"] = REDMINE_API_KEY; ... headers["Authorization"] = auth;
Use HTTPS, verify REDMINE_URL is trusted, prefer a scoped API key over username/password, and avoid credentials with broader permissions than needed.