ClawHub

Atlassian Cloud APIs + CLIs

Security checks across malware telemetry and agentic risk

Overview

This is a documented Atlassian API and CLI guide with sensitive but disclosed admin/write capabilities, not hidden malware.

Install only if you want an agent to help with Atlassian Cloud automation. Use least-privilege tokens, verify any CLI downloads, keep secrets out of prompts and memory files, and require explicit review before write, admin, bulk, or destructive operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The file includes authentication examples for `acli` and `forge` that involve sensitive credentials, including an admin API key, but it does not warn users about secure secret handling, shell history exposure, or avoiding plaintext storage. In a security-sensitive admin/API context, omission of these precautions can lead to accidental credential disclosure through terminals, files, logs, or copied commands.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The markdown provides a direct `curl -LO` binary download and execution path without reminding users to verify the source, integrity, or authenticity of the downloaded executable. While the URL appears to be an official vendor domain, omitting verification guidance increases supply-chain and unsafe-execution risk for users copying commands verbatim.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill includes authenticated Jira API examples using an email and API token but does not warn about secure credential handling, least-privilege use, or the sensitivity of returned Jira data. In an agent skill context, this omission can normalize unsafe token use and enable access to issues, users, comments, and other potentially sensitive project data if operators paste real credentials or run commands without understanding scope.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The file describes Jira REST APIs in a way that emphasizes operational use but does not clearly state that many referenced endpoints can modify live data, including tickets, comments, worklogs, transitions, and service requests. In a tooling skill intended to help operate cloud APIs, that omission increases the chance of unintended state changes in production environments by users or agents who infer the examples are read-only or low-risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The template instructs creating and updating a persistent local file (`~/atlassian/memory.md`) but does not include an explicit user-facing disclosure that information will be stored on disk across sessions. Even though the file says not to store secrets, silent persistence can still retain sensitive operational context, identifiers, and workflow preferences the user may not expect to be written locally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal