Maverick Confluence Mcp
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maverick-confluence-mcp Version: 1.0.3 The skill is a legitimate integration for Atlassian Confluence via the Atlassian Rovo MCP server (mcp.atlassian.com). The shell scripts (init-mcporter.sh and invoke.sh) are standard boilerplate for managing OAuth token lifecycle and seeding the mcporter credential vault from environment variables. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found; the code logic is strictly aligned with the stated purpose of providing a pass-through to official Atlassian tools.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can use the connected Atlassian account and maintain local OAuth state for future calls.
The script seeds OAuth access and refresh tokens into mcporter's credential vault so the MCP client can authenticate to Atlassian.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Use a dedicated, appropriately scoped Atlassian authorization where possible, protect the local mcporter credential vault, and revoke the integration if it is no longer needed.
If used carelessly, the agent could create, edit, publish, or comment on Confluence content as the connected user.
The skill explicitly acknowledges that the hosted MCP tools may perform content-changing actions with the user's Confluence permissions.
Tools that create, update, publish, comment on, or otherwise mutate Confluence content should only be invoked after clear user intent.
Require clear user confirmation before any Confluence write, publish, comment, or other mutating action.
The agent may adapt its behavior based on instructions returned by the Atlassian MCP server.
The skill directs the agent to rely on instructions returned by the hosted MCP server. This is expected for MCP discovery, but remote instructions should not override the user's intent or platform safety rules.
The output includes the server's `Instructions:` field (read it) ... Treat this as the authoritative reference for the rest of the session.
Follow the MCP server's tool documentation only within the user's requested Confluence task and do not let remote instructions override user approval requirements.
The installed behavior depends partly on the mcporter package obtained at install time.
The skill depends on an external Node package to provide the mcporter binary. This is purpose-aligned, but the provided install spec does not pin a package version.
node | package: mcporter | creates binaries: mcporter
Install from a trusted registry/source and prefer a pinned or reviewed mcporter version in controlled environments.