ClawHub

Atlassian MCP (Jira, Confluence)

v1.0.0

Run the Model Context Protocol (MCP) Atlassian server in Docker, enabling integration with Jira, Confluence, and other Atlassian products. Use when you need to query Jira issues, search Confluence, or interact with Atlassian services programmatically. Requires Docker and valid Jira API credentials.

9· 3.9k·19 current·20 all-time
by@atakanermis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (run an MCP Atlassian server to access Jira/Confluence) aligns with the provided instructions and script: both pull and run ghcr.io/sooperset/mcp-atlassian:latest with JIRA_URL, JIRA_USERNAME, and JIRA_API_TOKEN.
Instruction Scope
SKILL.md instructs the agent/user to pull and run the Docker image and to provide Jira credentials. The bundled script only validates env vars and runs the container, echoing the URL and username to stdout. It does not read other system files, but the SKILL metadata does not declare the env vars even though the runtime needs them.
Install Mechanism
There is no install spec (instruction-only) and the runtime pulls a container from ghcr.io/sooperset — GHCR is a known registry, but the image contents are unreviewed. Pulling/running a remote container executes third-party code and requires trusting that image.
!
Credentials
The skill requires JIRA_URL, JIRA_USERNAME, and JIRA_API_TOKEN to function — these are appropriate for the stated purpose but were not declared in the skill's registry metadata (required envs/primary credential are empty). Passing a long-lived API token into an unverified container can expose credentials if the container exfiltrates data or logs envs; the script also prints the URL/username to stdout (possible log leakage).
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and is instruction-only. However, running the container grants it network and runtime privileges on the host (typical for Docker) — so trust boundaries depend on how you run it (user context, network, mounts).
What to consider before installing
This skill will pull and run a third-party Docker image (ghcr.io/sooperset/mcp-atlassian:latest) and requires your Jira URL, username, and API token. That is necessary for its stated function, but the registry metadata did not declare these env vars and the image source is 'unknown' / no homepage provided. Before installing: 1) Verify the image owner and inspect the image (docker pull; docker image inspect; docker scan or a vulnerability scanner). 2) Prefer creating a least-privilege Jira API token (service account) rather than using a personal token. 3) Avoid passing long-lived secrets as plain env vars on long-lived hosts; use ephemeral tokens, docker secrets, or run in an isolated ephemeral environment. 4) Review the container's code/release if possible or run it in a network-isolated sandbox to observe behavior. 5) Be aware that the script prints JIRA_URL and JIRA_USERNAME to stdout (may go to logs). If you cannot verify the image/source or limit the token's scope, do not run this skill with sensitive credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d6bhs250b5gsm26dtvmxasd7zw2me

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments