ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

JIRA

v1.3.3

Use when the user mentions Jira issues (e.g., "PROJ-123"), asks about tickets, wants to create/view/update issues, check sprint status, or manage their Jira...

12· 6.7k·49 current·54 all-time
byJonathan Rhyne@jdrhyne
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the behavior in SKILL.md and README: viewing, creating, updating, and transitioning Jira issues via either the local `jira` CLI or Atlassian MCP. Optional JIRA_* env vars are appropriate for the documented REST/curl fallback. There are no extraneous credentials, binaries, or unrelated capabilities requested.
Instruction Scope
SKILL.md instructs the agent to detect backends (running `which jira` or looking for MCP tools) and to fetch issue state before any modification; it also references reading user-provided files (e.g., /tmp templates) and 'research context' for referenced code/PRs. These actions are sensible for a Jira helper, but 'research context' is somewhat open-ended — ensure the agent only accesses resources you expect and that it shows commands/results before making changes (the skill emphasizes this safety behavior).
Install Mechanism
There is no install spec and no code files — this is instruction-only. That minimizes install-time risk (nothing is downloaded or written by the skill itself). The README points users to official project pages for optional tools (GitHub, Homebrew).
Credentials
The only environment variables mentioned are JIRA_BASE_URL, JIRA_USER, and JIRA_API_TOKEN and they are documented as optional (used only for REST/curl fallback). Nothing requests unrelated secrets or multi-service credentials.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system-wide changes. It documents safety steps (show commands, request approval) before modifications. No evidence it modifies other skills or global agent configuration.
Assessment
This skill appears internally consistent and is appropriate for Jira workflows. Before installing or enabling it: (1) only provide JIRA_API_TOKEN/JIRA_USER/JIRA_BASE_URL if you trust the skill and need REST fallback — prefer local CLI or vetted MCP integrations; (2) confirm the agent shows the exact commands it will run and explicitly approve any write/bulk operations; (3) ask what 'research context' the agent will access if it suggests pulling code or PR details; and (4) restrict use to agents/users who are permitted to modify your Jira projects (to avoid accidental notifications or state changes).

Like a lobster shell, security has layers — review code before you run it.

latestvk97evfz03sx136xd20cmcrc8wn8204n6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎫 Clawdis

Comments