ClawHub

Jira

Security checks across malware telemetry and agentic risk

Overview

This Jira skill appears legitimate, but it can read and change live Jira data using stored credentials without strong scoping or confirmation controls.

Install only for a trusted workspace and prefer a least-privileged Jira API token limited to the intended projects. Treat this as a Review item because an agent using it can modify live Jira records and enumerate users/projects; require explicit human approval before any write action and avoid broad user searches unless needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly relies on sensitive capabilities: environment variables containing Jira credentials, outbound network access to Atlassian, and shell execution via a bash wrapper. If permissions are not explicitly declared and surfaced to the user/runtime, the skill can perform authenticated actions against Jira without adequate transparency or policy gating, increasing the chance of unintended data access or modification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The description says the skill manages Jira issues, but the documented behavior also includes retrieving full issue details, listing projects, searching users, and assigning issues. That mismatch reduces informed consent and can expose additional metadata such as user/account identifiers and project inventory beyond what a user may reasonably expect from the brief description.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script exposes directory-style enumeration capabilities via `users` and `projects`, which go beyond the stated issue-management scope in the manifest. This broadens accessible data and can enable unnecessary discovery of organizational structure and user identities, increasing privacy and reconnaissance risk if the skill is invoked broadly or by an LLM without strict task scoping.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The `users` command returns `emailAddress` along with account identifiers and names, exposing personal directory data not necessary for basic Jira issue operations. This creates avoidable privacy leakage and can facilitate phishing, targeting, or internal user enumeration, especially in an agent setting where queries may be generated automatically.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill offers create, update, comment, transition, and assign operations but does not prominently warn that these commands change remote Jira data. In an agent setting, missing mutation warnings make accidental or unauthorized state changes more likely, especially when the same interface also supports benign read-only queries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill performs state-changing operations against Jira—creating issues, commenting, transitioning, assigning, and updating—without any built-in confirmation, dry-run mode, or warning to the caller. In an agent context, this increases the chance of unintended remote modifications from ambiguous prompts, prompt injection, or operator misunderstanding.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal