Maverick Jira Mcp
PassAudited by VirusTotal on May 13, 2026.
Overview
Type: OpenClaw Skill Name: maverick-jira-mcp Version: 1.0.3 The skill is a legitimate integration for Atlassian Jira via the Atlassian Rovo MCP server (https://mcp.atlassian.com/v1/mcp/authv2). It uses a helper script (scripts/init-mcporter.sh) to manage OAuth tokens by seeding them from environment variables into the local mcporter vault. The logic is transparent, uses proper locking mechanisms for file access, and lacks any indicators of data exfiltration or unauthorized execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the provider's MCP instructions change, the agent may adapt its Jira tool usage during the session.
The skill intentionally relies on Atlassian's live MCP instructions and schemas. This is expected for a hosted MCP pass-through, but it means provider-published text influences tool use.
The output includes the server's `Instructions:` field (read it) ... Treat this as the authoritative reference for the rest of the session.
Use the skill for the requested Jira task, and do not let server-published instructions override the user's intent or platform safety rules.
The agent can change Jira issues, comments, or workflow state using the connected user's permissions.
The skill exposes Jira mutation capabilities through the hosted MCP server, while also documenting a user-intent requirement for those actions.
Tools that create, edit, comment on, transition, or otherwise mutate Jira work should only be invoked after clear user intent.
Confirm the exact Jira issue, action, and intended change before allowing create, edit, comment, transition, or other mutation tools.
The skill can act within the Atlassian/Jira permissions granted to the OAuth tokens.
The wrapper persists OAuth access and refresh tokens into mcporter's local vault so the integration can authenticate as the connected Atlassian user.
tokens: {access_token: env.mcp_access, refresh_token: env.mcp_refresh, token_type: "Bearer"}Use least-privilege Atlassian authorization, protect the environment variables and local vault, and revoke or rotate tokens when the integration is no longer needed.
A compromised or unexpectedly changed dependency could affect MCP calls or credential handling.
The skill depends on an installed Node package to handle MCP and OAuth calls. The package is central to the purpose, but the install spec does not pin a version.
node | package: mcporter | creates binaries: mcporter
Install `mcporter` from a trusted registry/source and pin or verify the version where your environment supports it.