Bitbucket
AdvisoryAudited by Static analysis on May 6, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ClawLink-mediated tools may be able to read repository data and perform actions allowed by the Bitbucket OAuth scopes the user approves.
The skill requires the user to authorize Bitbucket access through OAuth, giving the connected integration account-level repository permissions.
ClawLink's hosted page runs the hosted OAuth flow — the user clicks through the Bitbucket login and authorization screen.
Review the Bitbucket authorization scopes and connect only accounts or workspaces you are comfortable managing through ClawLink.
If approved, the agent could make repository changes such as branch or pull request workflow updates.
The skill supports write-capable Bitbucket actions through ClawLink tools, but it includes preview and confirmation steps before writes.
For writes or anything marked as requiring confirmation, call `clawlink_preview_tool` first, then confirm with the user. Execute with `clawlink_call_tool`.
Confirm previews carefully before allowing any write, destructive, external-facing, or bulk repository action.
Installing the plugin adds third-party integration code that will handle account pairing and tool calls.
The skill depends on an external ClawLink plugin that is not included in the provided artifacts, so its runtime behavior is outside this review.
Install the verified ClawLink plugin: `openclaw plugins install clawhub:clawlink-plugin`
Install the plugin only from the expected ClawHub source and review ClawLink’s verification/source information if your repositories are sensitive.
Repository requests and relevant results may flow through ClawLink as the integration gateway.
The skill relies on a third-party integration hub to provide tool definitions and execute Bitbucket operations dynamically.
ClawLink provides tools dynamically based on what the user has connected. You do not need to know tool names or schemas in advance.
Use this skill only if you trust ClawLink as an intermediary for Bitbucket repository operations and data.