OpenClaw confluence
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a broad Confluence API client that appears purpose-aligned, but it can use your credentials to change or delete workspace content and perform privileged admin actions.
Only install this if you intend to let the agent operate directly on your Confluence site. Prefer a least-privilege or read-only token, replace the example site/email with your own values, avoid admin-key mode unless absolutely necessary, and require explicit confirmation for creates, updates, deletes, invites, and role changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could modify or delete Confluence content, settings, or other site data using your account permissions.
This exposes a raw Confluence API escape hatch where any method and path chosen by the agent are sent with the configured credentials, including destructive methods, with no built-in approval or path restrictions.
Usage: call.js <GET|POST|PUT|DELETE> </path> [jsonBody] ... const res = await request(method.toUpperCase(), path, payload);
Use read-only credentials by default, restrict allowed endpoints where possible, and require explicit user confirmation before any POST, PUT, or DELETE request.
Installing users may grant the agent more Confluence privilege than expected, including access through an admin-key setting if enabled.
The skill requires Confluence account credentials and supports an admin-key mode, but the registry declares no primary credential or env vars. This under-describes broad account and possible admin-level authority.
Configure credentials (one of): - Basic: email + API token - OAuth: access token ... # Optional admin key header ... CONFLUENCE_ADMIN_KEY=true
Declare the credential requirements, document minimum OAuth scopes, avoid enabling admin key except for a specific task, and use least-privilege tokens.
Your Confluence API token may be copied into the skill directory and remain there until you remove it.
The migration helper reads an existing local Confluence CLI credential file and writes a token-bearing .env file for this skill. The source and destination are clear, but it persists sensitive credentials locally.
const src = path.join(process.env.HOME || '', '.confluence-cli', 'config.json'); ... fs.writeFileSync(dst, env, 'utf8');
Run migration only intentionally, protect the generated .env file, and delete or rotate tokens when they are no longer needed.
You have less external context for who maintains the skill or where updates originate.
The supplied code is visible and the static scan is clean, but the registry metadata provides limited provenance for a high-privilege integration.
Source: unknown; Homepage: none
Review the included scripts and owner trust before installation, especially because the skill can operate with powerful Confluence credentials.