Maverick Jira Mcp
ReviewAudited by ClawScan on May 13, 2026.
Overview
This is a coherent Atlassian/Jira MCP connector, but it needs OAuth credentials and can change Jira data when the user clearly asks it to.
Install this only if you trust Atlassian's Rovo MCP service and the `mcporter` dependency, and provide OAuth credentials with the minimum Jira access needed. Treat read-only Jira lookups as low risk, but require explicit confirmation before the agent creates, edits, comments on, or transitions Jira work.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the provider's MCP instructions change, the agent may adapt its Jira tool usage during the session.
The skill intentionally relies on Atlassian's live MCP instructions and schemas. This is expected for a hosted MCP pass-through, but it means provider-published text influences tool use.
The output includes the server's `Instructions:` field (read it) ... Treat this as the authoritative reference for the rest of the session.
Use the skill for the requested Jira task, and do not let server-published instructions override the user's intent or platform safety rules.
The agent can change Jira issues, comments, or workflow state using the connected user's permissions.
The skill exposes Jira mutation capabilities through the hosted MCP server, while also documenting a user-intent requirement for those actions.
Tools that create, edit, comment on, transition, or otherwise mutate Jira work should only be invoked after clear user intent.
Confirm the exact Jira issue, action, and intended change before allowing create, edit, comment, transition, or other mutation tools.
The skill can act within the Atlassian/Jira permissions granted to the OAuth tokens.
The wrapper persists OAuth access and refresh tokens into mcporter's local vault so the integration can authenticate as the connected Atlassian user.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Use least-privilege Atlassian authorization, protect the environment variables and local vault, and revoke or rotate tokens when the integration is no longer needed.
A compromised or unexpectedly changed dependency could affect MCP calls or credential handling.
The skill depends on an installed Node package to handle MCP and OAuth calls. The package is central to the purpose, but the install spec does not pin a version.
node | package: mcporter | creates binaries: mcporter
Install `mcporter` from a trusted registry/source and pin or verify the version where your environment supports it.