ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jira

v1.0.1

Manage Jira Cloud issues — search, create, update, comment, transition. Use when user mentions Jira, issues, tickets, sprints, bugs, tasks, or issue keys lik...

0· 147·0 current·0 all-time
byVuk Pejović@pejovicvuk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required env vars (ATLASSIAN_URL, ATLASSIAN_EMAIL, ATLASSIAN_API_TOKEN), and the provided CLI script all align with a Jira Cloud issue-management wrapper. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs setting the three Jira env vars, making the script executable, and using the script commands. The runtime instructions and the script operate solely against the Jira REST API and do not read other files, system config, or send data to unexpected endpoints.
Install Mechanism
No install spec — instruction-only plus an included bash script. Nothing is downloaded or installed from external URLs; the script is intended to be placed in {baseDir} and executed. This is a low-risk installation model.
Credentials
Only the three Atlassian-related environment variables are required, which are appropriate for using Atlassian Cloud REST APIs. The script uses those env vars and no other sensitive variables. No unexplained high-privilege tokens are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-level presence or modify other skills or global agent config. The script runs on demand and only performs API calls with the provided credentials.
Assessment
This skill appears to be what it claims: a simple CLI wrapper around Jira Cloud's REST API. Before installing: (1) only provide a dedicated Atlassian API token with minimal necessary permissions (do not reuse a high-privilege or long-lived token), (2) confirm ATLASSIAN_URL points to your intended Jira instance, (3) run the script in an environment you control (or sandbox) if you are unsure, and (4) note the repository/author is unknown (no homepage provided) — you may want to vet the included jira-cli.sh yourself before supplying sensitive credentials. The script uses embedded python calls to build JSON; avoid passing extremely long or untrusted multiline inputs without review. If you suspect token exposure, rotate the API token immediately.

Like a lobster shell, security has layers — review code before you run it.

latestvk971te0v7strh0wephaawjcv3x83hs9r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎫 Clawdis
EnvATLASSIAN_URL, ATLASSIAN_EMAIL, ATLASSIAN_API_TOKEN

Comments