ClawHub
Back to skill
v1.0.1

YouTrack Issue Tracker

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:54 AM.

Analysis

The skill is consistent with managing YouTrack, but it asks for a persistent YouTrack token and documents bulk issue changes through a referenced CLI helper that is not included in the artifacts.

GuidanceReview or supply the `ytctl` implementation before installing, use a least-privileged YouTrack token, secure the local token file, and require dry-run plus explicit confirmation before create/update/comment or bulk operations.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
Use `ytctl` (in `scripts/`) for YouTrack issue tracking.

The provided manifest contains only SKILL.md and no install spec or scripts directory, so the CLI helper that would use the token and perform issue mutations is outside the reviewed artifacts.

User impactThe agent may rely on an unreviewed or missing local `ytctl` executable for account actions, making the real credential handling and API behavior unclear.
RecommendationPackage the `ytctl` helper in the skill or declare a pinned, trusted install source; also declare `ytctl` and the YouTrack credential requirements in metadata.
Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
ytctl bulk-update "project: SP state: Open" state "In Progress"
ytctl bulk-comment "project: SP state: Open" "Batch update notice"
ytctl bulk-assign "project: SP #unresolved" john.doe --dry-run

The documented CLI supports bulk modifications to all issues matching a query; this is purpose-aligned for workflow automation, but it can have broad impact if run without review.

User impactA mistaken query or command could update, comment on, or reassign many YouTrack issues.
RecommendationUse dry-run first for every bulk action, confirm the exact query and affected issue count, and require explicit user approval before any write or bulk operation.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Credentials stored in `~/.config/youtrack/config.json`:
{
  "url": "https://your-instance.youtrack.cloud",
  "token": "perm:xxx"
}

Or set env vars: `YOUTRACK_URL`, `YOUTRACK_TOKEN`

The skill uses a personal YouTrack token, which is expected for the service integration but gives the CLI whatever permissions the token/user has.

User impactAnyone or anything using this token may be able to read or modify YouTrack data according to the token's permissions.
RecommendationUse the least-privileged token possible, avoid sharing it, protect the config file permissions, and revoke/rotate the token if it is exposed.