Bitbucket
ReviewAudited by ClawScan on May 1, 2026.
Overview
No malicious behavior is evident, but this skill can let the agent read Bitbucket repositories, pull requests, diffs, comments, and files using the configured API token.
Install only if you are comfortable letting the agent read Bitbucket data available to the configured token. Create a separate read-only Bitbucket API token, restrict access as much as your workspace allows, specify repositories/branches in requests, and revoke the token when no longer needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may be able to read private Bitbucket repositories, pull requests, comments, diffs, and files that the configured token can access.
The skill requires a Bitbucket credential; the requested read scopes are purpose-aligned, but the token can expose private repository and PR data accessible to that account/workspace.
`BITBUCKET_API_TOKEN` — a scoped API token with **Repositories: Read** and **Pull requests: Read** only.
Use a dedicated Bitbucket token with read-only scopes and the minimum repository/workspace access needed; rotate or revoke it if you uninstall the skill.
Broad searches or listings could expose more repository metadata or source locations to the agent than intended for a narrow task.
The code-search command can operate across the whole configured workspace; this is consistent with the skill's purpose but broader than a single-repo lookup.
Searches across all repos in the workspace, or scoped to a specific repo.
When possible, ask the agent to use a specific repository and branch, and avoid workspace-wide searches unless they are needed.
Users have less publisher/source context to rely on and should review the included script before trusting it with repository access.
The skill's provenance metadata is limited, although the included artifacts show an instruction-only skill with an included bash wrapper and no remote installer.
Source: unknown; Homepage: none
Verify the publisher/source if possible and review the script contents before configuring a Bitbucket API token.