Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw confluence
v1.0.0Full Confluence Cloud REST API v2 skill (pages, spaces, folders, databases, whiteboards, comments, labels, tasks, properties, etc.) with basic/OAuth auth, pagination, and migration from confluence-cli.
⭐ 0· 2k·0 current·0 all-time
byKim Seong Uk@pangin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The code and SKILL.md clearly implement a Confluence Cloud REST API v2 client (pages, spaces, attachments, etc.), which is consistent with the skill name and description. However, the registry metadata declares no required environment variables or primary credential even though the skill needs Confluence credentials (basic or OAuth) and a base URL. That mismatch between claimed requirements and real needs is a coherence concern.
Instruction Scope
Runtime instructions and scripts are focused on Confluence API calls and are self-contained. However, the included migration script (scripts/migrate-from-confluence-cli.js) explicitly reads ~/.confluence-cli/config.json and writes a .env file into the skill directory — this accesses files in the user's home directory and writes to disk. While documented in SKILL.md, reading a user home config without further guardrails expands scope and could pull locally-stored credentials into the skill's .env.
Install Mechanism
There is no install specification or external download. All code is bundled with the skill (node scripts). No external URLs, package installs, or archive extracts are invoked during install, which keeps install risk low.
Credentials
The skill requires sensitive environment variables at runtime (CONFLUENCE_BASE_URL, CONFLUENCE_AUTH_METHOD, CONFLUENCE_EMAIL, CONFLUENCE_API_TOKEN or CONFLUENCE_OAUTH_TOKEN, optionally CONFLUENCE_ADMIN_KEY), but the registry metadata lists none and primary credential is unset. Requesting API tokens/OAuth tokens is expected for this functionality, but the lack of declared required env vars in metadata is an inconsistency and should be corrected. Also the migrate script will read credentials from ~/.confluence-cli/config.json and write them to .env, which centralizes credentials into a file the skill will load.
Persistence & Privilege
always:false and no OS restriction — normal. The skill will read a .env file at the skill location (loadDotEnv) and the migration script will create/overwrite that .env file in the skill directory. Writing a .env is typical for CLI tools, but it means secrets will be stored on disk in the agent's filesystem; users should be aware of that persistence.
What to consider before installing
This skill appears to be a full Confluence v2 client and the scripts are generally consistent with that purpose, but there are two practical concerns: (1) the skill actually requires Confluence credentials (email + API token or OAuth token and a base URL) even though the registry metadata lists none — expect to provide sensitive env variables if you use it; (2) the included migration script will read ~/.confluence-cli/config.json and write a .env file inside the skill folder, which can copy credentials from your home directory into a file the skill loads. Before installing: verify the publisher/source, review the scripts (especially migrate-from-confluence-cli.js and scripts/client.js), avoid placing long-lived credentials in global scopes, consider running the skill in an isolated environment, and if you use the migration script inspect ~/.confluence-cli/config.json to ensure it only contains what you intend to export. If you are uncomfortable with a bundled script reading/writing files in your home directory, do not install or run the migration step.Like a lobster shell, security has layers — review code before you run it.
latestvk97adhprk2ky4brnjxjwq47xxs80aa0h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.