Yandex Tracker
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is a disclosed Yandex Tracker integration, but it can read and change Tracker data, including bulk changes, so users should use limited credentials and confirm broad actions.
Install only if you want OpenClaw to manage Yandex Tracker on your behalf. Provide a dedicated least-privilege or temporary Tracker token, avoid broad admin tokens, and ask the agent to preview and confirm any bulk updates, moves, transitions, or other account-changing actions.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A token with broad Tracker permissions could let the agent read or change many issues, comments, links, worklogs, and custom fields in the organization.
The skill requires delegated Yandex Tracker credentials. This is expected for the integration and includes least-privilege guidance, but the token can authorize Tracker reads and writes.
`TRACKER_TOKEN` — **Required.** Use a least-privilege OAuth token ... with only Tracker scope, or a temporary IAM token ... Do not use broad admin tokens.
Use a dedicated least-privilege or short-lived token, avoid admin-wide credentials, and revoke or rotate the token when no longer needed.
If a request is ambiguous or too broad, generated scripts could update, transition, comment on, or otherwise modify more Tracker items than intended.
The agent is instructed to generate and execute Python code that calls the Tracker API. This is central to the skill, but it gives the agent flexible account-mutation capability.
**Write and execute Python scripts** to fulfill user requests. The workflow: ... performs all needed API calls ... Save to `/tmp/tracker_script.py` and run: `python3 /tmp/tracker_script.py`
For create/update/close/move/bulk requests, ask for a preview or explicit confirmation before allowing changes.
A single broad operation could change statuses, queues, fields, or relationships across many business tasks.
Bulk operations are explicitly in scope. They are purpose-aligned, but a mistaken query or filter could affect many Tracker issues at once.
- Bulk update, transition, or move issues across queues
Use narrow filters, request counts/previews first, and confirm the exact issue list before bulk mutations.
Future package changes could affect behavior when the dependency is installed or upgraded.
The skill depends on an external PyPI package. This is expected for the stated purpose and the package source is named, but no version pin is shown.
kind: pip package: yandex_tracker_client provenance: https://pypi.org/project/yandex-tracker-client/
Prefer a pinned, reviewed version of the package in controlled environments.
The local environment will execute generated Python code to access the Tracker API.
The skill uses local Python execution as its normal operating mode. This is disclosed and purpose-aligned, but users should recognize that generated code will run locally.
For simple one-liners it's fine to use `python3 -c "..."`, but prefer a file for anything multi-step.
Run it in a trusted environment and review generated scripts for sensitive or high-impact requests.