ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawhub Jira Pat Skill

v0.0.1

Manage Jira issues on self-hosted or enterprise Jira instances using Personal Access Tokens in SSO/SAML environments where Basic Auth fails.

0· 976·0 current·0 all-time
by@dejanb
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md and scripts clearly implement a Jira Personal Access Token (PAT) helper (issue queries, transitions, comments) which matches the skill name/purpose. However the registry metadata claims no required env vars, binaries, or primary credential, while the runtime docs and script require JIRA_PAT and JIRA_URL and assume curl and jq—this mismatch is unexpected.
Instruction Scope
Instructions and the bash script operate only on the Jira REST API using Authorization: Bearer <PAT> and reference only JIRA_PAT and JIRA_URL; they do not attempt to read unrelated files, contact other endpoints, or exfiltrate data beyond the Jira instance. The scope is limited to Jira operations.
Install Mechanism
No install spec (instruction-only) and no remote downloads. A local script is included; it is plain Bash using curl/jq. This is low risk from an install perspective.
!
Credentials
The skill legitimately requires a Jira PAT and Jira URL (sensible and proportionate). But the registry metadata does not declare these required environment variables (or the PAT as primary credential), which is an incoherence: an agent or platform may not surface or protect the secret as expected. The script also assumes curl and jq are available though binaries were not declared.
Persistence & Privilege
The skill does not request persistent/always-on presence (always: false) and does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other red flags.
What to consider before installing
This skill appears to implement a straightforward Jira PAT helper and the code does what the README says, but the package metadata omitted key operational requirements. Before installing: - Confirm the skill owner is trustworthy (registry owner vs _meta.json owner differ). Ask the publisher to correct metadata to list required env vars (JIRA_PAT, JIRA_URL) and binaries (curl, jq) and to declare the PAT as the primary credential. - Only provide a PAT with the minimal scopes needed for the tasks you intend (avoid broad admin scopes). Rotate/regenerate the PAT if shared accidentally. - Verify JIRA_URL points to your intended, internal Jira server (to avoid sending tokens to an unexpected host). - Inspect the included script locally (it is small and readable) and run it in a safe environment before granting any agent automated access to the token. - If the publisher cannot or will not fix the metadata, treat the skill as untrusted because the platform may not handle or protect secrets correctly. If you want this skill to be considered fully coherent/benign, the missing declarations must be added to the registry metadata (required env vars and binaries).

Like a lobster shell, security has layers — review code before you run it.

latestvk970b7szs3g6yynxw060pec3v180t0ez
976downloads
0stars
1versions
Updated 6h ago
v0.0.1
MIT-0
@dejanb
latest
Download

Jira PAT Skill

Manage Jira issues on self-hosted/enterprise Jira instances using Personal Access Tokens (PAT). This skill is designed for environments where Basic Auth doesn't work due to SSO/SAML authentication.

When to Use This Skill

Use this skill when working with:

  • Self-hosted Jira instances (e.g., Red Hat, enterprise deployments)
  • Jira instances with SSO/SAML authentication
  • Environments where jira-cli or Basic Auth fails

Note: For Atlassian Cloud with email + API token auth, use the clawdbot-jira-skill instead.

Prerequisites

  1. Personal Access Token (PAT): Create one in Jira:

    • Go to your Jira profile → Personal Access Tokens
    • Create a new token with appropriate permissions
    • Store it in environment variable JIRA_PAT

  2. Jira Base URL: Your Jira instance URL in JIRA_URL

Environment Variables

export JIRA_PAT="your-personal-access-token"
export JIRA_URL="https://issues.example.com"

Tools

This skill uses curl and jq for all operations.

Instructions

Get Issue Details

Fetch full details of a Jira issue:

curl -s -H "Authorization: Bearer $JIRA_PAT" \
  "$JIRA_URL/rest/api/2/issue/PROJECT-123" | jq

Get specific fields only:

curl -s -H "Authorization: Bearer $JIRA_PAT" \
  "$JIRA_URL/rest/api/2/issue/PROJECT-123?fields=summary,status,description" | jq

Search Issues (JQL)

# Find child issues of an epic
curl -s -H "Authorization: Bearer $JIRA_PAT" \
  "$JIRA_URL/rest/api/2/search?jql=parent=EPIC-123" | jq

# Complex queries (URL-encoded)
curl -s -H "Authorization: Bearer $JIRA_PAT" \
  "$JIRA_URL/rest/api/2/search?jql=project%3DPROJ%20AND%20status%3DOpen" | jq

Common JQL patterns:

  • parent=EPIC-123 - Child issues of an epic
  • project=PROJ AND status=Open - Open issues in project
  • assignee=currentUser() - Your assigned issues
  • labels=security - Issues with specific label
  • updated >= -7d - Recently updated

Get Available Transitions

Before changing status, query available transitions:

curl -s -H "Authorization: Bearer $JIRA_PAT" \
  "$JIRA_URL/rest/api/2/issue/PROJECT-123/transitions" | jq '.transitions[] | {id, name}'

Transition (Change Status)

Close an issue with a comment:

curl -s -X POST \
  -H "Authorization: Bearer $JIRA_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "transition": {"id": "61"},
    "update": {
      "comment": [{"add": {"body": "Closed via API"}}]
    }
  }' \
  "$JIRA_URL/rest/api/2/issue/PROJECT-123/transitions"

Add a Comment

curl -s -X POST \
  -H "Authorization: Bearer $JIRA_PAT" \
  -H "Content-Type: application/json" \
  -d '{"body": "Comment added via API."}' \
  "$JIRA_URL/rest/api/2/issue/PROJECT-123/comment"

Update Issue Fields

curl -s -X PUT \
  -H "Authorization: Bearer $JIRA_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "fields": {
      "summary": "Updated summary",
      "labels": ["api", "automated"]
    }
  }' \
  "$JIRA_URL/rest/api/2/issue/PROJECT-123"

Create an Issue

curl -s -X POST \
  -H "Authorization: Bearer $JIRA_PAT" \
  -H "Content-Type: application/json" \
  -d '{
    "fields": {
      "project": {"key": "PROJ"},
      "summary": "New issue via API",
      "description": "Issue description",
      "issuetype": {"name": "Task"},
      "parent": {"key": "EPIC-123"}
    }
  }' \
  "$JIRA_URL/rest/api/2/issue"

Useful jq Filters

# Summary and status
jq '{key: .key, summary: .fields.summary, status: .fields.status.name}'

# List search results
jq '.issues[] | {key: .key, summary: .fields.summary, status: .fields.status.name}'

# Issue links
jq '.fields.issuelinks[] | {type: .type.name, key: (.inwardIssue // .outwardIssue).key}'

Troubleshooting

ErrorCauseSolution
401 UnauthorizedInvalid/expired PATRegenerate token, check Bearer format
404 Not FoundIssue doesn't exist or no accessVerify issue key and permissions
400 Bad Request on transitionInvalid transition IDQuery available transitions first

Comparison with Basic Auth Skills

This skill uses Bearer token authentication (Authorization: Bearer <PAT>), which works with self-hosted Jira instances using SSO/SAML. For Atlassian Cloud with email + API token, use skills that implement Basic Auth instead.

Comments

Loading comments...