ClawHub

Jira Expert Brajesh 1

Security checks across malware telemetry and agentic risk

Overview

This Jira administration skill is broad and can guide sensitive Jira changes, but its behavior is disclosed, purpose-aligned, and not hidden or deceptive.

Install only for agents that should help administer Jira. Use a least-privilege Jira account, test workflows and automations in a sandbox, require confirmation before create/update/delete/bulk actions, and review Slack, email, and webhook recipes for privacy, recipient access, and approved destinations before using them in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This documentation explicitly promotes outbound notifications and web requests that can transmit Jira issue fields, user identifiers, or operational metadata to Slack, Teams, email, or arbitrary external HTTP endpoints without any warning about data sensitivity, privacy, or authorization boundaries. In a Jira administration skill, this is materially risky because users may copy recipes directly into production and unintentionally exfiltrate internal ticket contents or personal data to third-party systems.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The reference lists 'Delete issue' as a supported action but does not accompany it with a caution that deletion is destructive and may be irreversible depending on Jira configuration and permissions. In the context of automation guidance, this omission can lead administrators to create rules that remove issues at scale due to broad triggers or mistaken conditions, causing data loss and audit gaps.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The webhook examples send issue summary, description, and assignee data to external services like GitHub and Confluence without any accompanying warning about data sensitivity, authorization boundaries, or privacy review. In a Jira-focused skill, readers may copy these patterns directly into production automations and unintentionally exfiltrate internal or personal data to third-party systems.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notification examples broadcast issue details and user identity information over Slack and email, including reporter names, URLs, comment bodies, and email addresses, without warning about channel visibility or privacy implications. These examples could lead users to expose sensitive ticket content or personal data to broad audiences or unintended recipients.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal