junie
ReviewAudited by ClawScan on May 4, 2026.
Overview
This appears to be a coherent Junie setup and orchestration helper, but it intentionally installs/runs Junie, uses API credentials, and writes persistent Junie configuration.
This skill looks suitable if you want an agent to help install and operate JetBrains Junie. Before using it, confirm any install method, keep API keys out of committed config, scope Junie tasks carefully, and review persistent .junie files and Junie's changes before trusting them.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the installer can execute JetBrains-provided code and modify the user's local environment.
The installer helper downloads and executes an external shell installer when the script method is used. The script also logs a trust note, and this behavior is central to installing Junie.
curl -fsSL https://junie.jetbrains.com/install.sh -o "$local_tmp" ... bash "$local_tmp"
Run installation only when you intend to install Junie; prefer Homebrew or npm if that better fits your trust model, and consider pinning or inspecting the installer for sensitive environments.
Supplying tokens or provider keys can allow Junie to use account quota, billing, or model access tied to those credentials.
The skill documents use of Junie and provider API credentials. This is expected for a CLI/model integration and there is no evidence of hardcoded credentials or credential exfiltration.
CLI flag: `--auth`; env var: `JUNIE_API_KEY` ... provider-specific flags and env vars for: Anthropic, OpenAI, Google, xAI / Grok, OpenRouter
Use environment variables for temporary setup, avoid committing keys to config, and provide only the credentials needed for the requested Junie task.
Task details or repository context provided to Junie may be processed outside the original host agent flow.
The skill intentionally delegates work from the host agent to Junie. This is the stated purpose, but it creates an additional agent/provider boundary for prompts, repo context, and results.
the host agent should act as the planner/reviewer while Junie acts as a focused implementation or review agent
Limit Junie prompts to the needed scope, avoid sending secrets or sensitive paths unless necessary, and review Junie's changes before accepting them.
Future Junie sessions may rely on persistent project instructions and configuration created or merged by this skill.
The bootstrap helper creates persistent .junie guidance and configuration that future Junie runs may use as context. This is expected for Junie project setup.
agents_path.write_text(AGENTS_TEMPLATE, encoding="utf-8") ... config_path.write_text(json.dumps(merged, indent=2, sort_keys=True) + "\n"
Review .junie/AGENTS.md, .junie/config.json, and any .junie skills/rules before relying on them, especially in repositories from untrusted sources.
Local Junie session metadata is read to summarize usage, which may be sensitive in some environments even if the script only prints aggregates.
The usage helper reads local Junie session logs to calculate aggregate usage. The code prints totals rather than transcript content, and this is aligned with the `/junie usage` feature.
This script reads ~/.junie/sessions and prints aggregate model/cost/token usage.
Run the usage summarizer only on local sessions you are comfortable inspecting, and avoid pointing `--sessions-root` at unrelated private logs.