Confluence CLI (confcli)
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Confluence CLI helper, but users should trust the installer source and explicitly approve any Confluence write or delete action.
Before installing, make sure you trust the confcli GitHub source or inspect the installer. Configure Confluence credentials outside the chat as instructed, and require clear confirmation before any create, update, delete, upload, label, comment, export, or copy-tree operation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing this way runs code from the referenced GitHub repository on the user's machine.
The skill tells the user how to install the CLI by running a remote shell script from GitHub's main branch. This is disclosed and purpose-aligned, but the installer code is not included, pinned, or otherwise verified in the artifact set.
curl -fsSL https://raw.githubusercontent.com/hochej/confcli/main/install.sh | sh
Install only if you trust the repository; consider inspecting the script, using a pinned release/checksum, or installing through a trusted package manager if available.
The CLI can act with the permissions of the configured Confluence account or API token.
The skill requires Confluence account credentials or an authenticated CLI session. That is expected for Confluence access, and the skill appropriately warns users not to paste tokens into the conversation.
`CONFLUENCE_DOMAIN` — e.g. `yourcompany.atlassian.net` - `CONFLUENCE_EMAIL` - `CONFLUENCE_TOKEN` (or `CONFLUENCE_API_TOKEN`)
Use the least-privileged Confluence account/token possible, confirm the domain, do not paste tokens into chat, and revoke tokens when no longer needed.
Mistakenly approved commands could change, delete, or duplicate Confluence pages, spaces, attachments, labels, or comments.
The skill exposes commands that can modify or delete Confluence content, but it also instructs the agent to require explicit user intent and suggests dry-run previews for destructive operations.
Write operations (create, update, delete, purge, edit, label add/remove, attachment upload/delete, comment add/delete, copy-tree) require explicit user intent. Never perform these based on assumptions.
Approve write/delete commands only after checking the exact page, space, and command arguments; use dry-run where available.