YouTrack Issue Tracker
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is for YouTrack management, but it references a missing/unreviewed CLI while asking for account tokens and documenting broad bulk issue-changing commands.
Before installing, verify the actual `ytctl` executable and avoid letting the agent perform bulk YouTrack changes without a dry-run and explicit confirmation. Use a limited-scope token if available.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may try to run an unreviewed or locally resolved `ytctl` command while using your YouTrack credentials.
The provided manifest says there are no code files and no install spec, so the referenced `scripts/ytctl` helper is absent and cannot be reviewed. Because this helper would use tokens and mutate YouTrack data, the missing executable provenance is material.
Use `ytctl` (in `scripts/`) for YouTrack issue tracking.
Install only if you can verify the intended `ytctl` script/source yourself, or require the publisher to include the reviewed CLI implementation and install instructions.
A broad query or mistaken invocation could change many YouTrack issues or post many comments at once.
The skill documents commands that can update, comment on, or assign all matching issues. Dry-run is shown as optional and is not shown for bulk comments, with no mandatory approval or maximum scope documented.
ytctl bulk-update "project: SP state: Open" state "In Progress" ytctl bulk-comment "project: SP state: Open" "Batch update notice" ytctl bulk-assign "project: SP #unresolved" john.doe --dry-run
Require explicit user confirmation and a dry-run preview before any create, update, comment, assignment, or bulk operation, especially for queries matching multiple issues.
The token may allow the agent to act as your YouTrack account for issue viewing and changes.
The skill clearly asks for a YouTrack token, which is expected for this integration, but the registry metadata declares no primary credential or required environment variables.
Credentials stored in `~/.config/youtrack/config.json`:
```json
{
"url": "https://your-instance.youtrack.cloud",
"token": "perm:xxx"
}
```
Or set env vars: `YOUTRACK_URL`, `YOUTRACK_TOKEN`Use a least-privilege YouTrack token where possible, store it carefully, and revoke it if the skill is no longer needed.