Jira
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong issue, status, assignee, comment, or hours value, the skill can create inaccurate or unwanted Jira changes.
The script performs Jira write operations, including status transitions and worklog creation. This is consistent with the skill purpose, but it can modify shared business records.
resp=$(api POST "/rest/api/3/issue/${issue}/transitions" ...); resp=$(api POST "/rest/api/3/issue/${issue}/worklog" ...)Review commands that write to Jira before running them, especially status changes, assignments, comments, issue creation, and worklog entries.
Anyone or any agent process with access to these environment variables could act on Jira as the configured user.
The skill authenticates to Jira using the user's email and API token. This is expected for Jira Cloud, but it means actions are performed with that account's permissions.
AUTH_HEADER="Authorization: Basic $(printf '%s:%s' "$JIRA_EMAIL" "$JIRA_API_TOKEN" | base64)"
Use a token/account with the minimum necessary Jira permissions, protect the environment variables, and rotate the token if it may have been exposed.
It is harder to independently verify the origin or update history of the included helper script.
The skill's registry metadata does not identify a source repository or verified publisher provenance.
Source: unknown
Inspect the full script before use and prefer installing skills from sources or publishers you trust.