ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw confluence

v1.0.0

Full Confluence Cloud REST API v2 skill (pages, spaces, folders, databases, whiteboards, comments, labels, tasks, properties, etc.) with basic/OAuth auth, pagination, and migration from confluence-cli.

0· 2k·0 current·0 all-time
byKim Seong Uk@pangin
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code and SKILL.md clearly implement a Confluence Cloud REST API v2 client (pages, spaces, attachments, etc.), which is consistent with the skill name and description. However, the registry metadata declares no required environment variables or primary credential even though the skill needs Confluence credentials (basic or OAuth) and a base URL. That mismatch between claimed requirements and real needs is a coherence concern.
!
Instruction Scope
Runtime instructions and scripts are focused on Confluence API calls and are self-contained. However, the included migration script (scripts/migrate-from-confluence-cli.js) explicitly reads ~/.confluence-cli/config.json and writes a .env file into the skill directory — this accesses files in the user's home directory and writes to disk. While documented in SKILL.md, reading a user home config without further guardrails expands scope and could pull locally-stored credentials into the skill's .env.
Install Mechanism
There is no install specification or external download. All code is bundled with the skill (node scripts). No external URLs, package installs, or archive extracts are invoked during install, which keeps install risk low.
!
Credentials
The skill requires sensitive environment variables at runtime (CONFLUENCE_BASE_URL, CONFLUENCE_AUTH_METHOD, CONFLUENCE_EMAIL, CONFLUENCE_API_TOKEN or CONFLUENCE_OAUTH_TOKEN, optionally CONFLUENCE_ADMIN_KEY), but the registry metadata lists none and primary credential is unset. Requesting API tokens/OAuth tokens is expected for this functionality, but the lack of declared required env vars in metadata is an inconsistency and should be corrected. Also the migrate script will read credentials from ~/.confluence-cli/config.json and write them to .env, which centralizes credentials into a file the skill will load.
Persistence & Privilege
always:false and no OS restriction — normal. The skill will read a .env file at the skill location (loadDotEnv) and the migration script will create/overwrite that .env file in the skill directory. Writing a .env is typical for CLI tools, but it means secrets will be stored on disk in the agent's filesystem; users should be aware of that persistence.
What to consider before installing
This skill appears to be a full Confluence v2 client and the scripts are generally consistent with that purpose, but there are two practical concerns: (1) the skill actually requires Confluence credentials (email + API token or OAuth token and a base URL) even though the registry metadata lists none — expect to provide sensitive env variables if you use it; (2) the included migration script will read ~/.confluence-cli/config.json and write a .env file inside the skill folder, which can copy credentials from your home directory into a file the skill loads. Before installing: verify the publisher/source, review the scripts (especially migrate-from-confluence-cli.js and scripts/client.js), avoid placing long-lived credentials in global scopes, consider running the skill in an isolated environment, and if you use the migration script inspect ~/.confluence-cli/config.json to ensure it only contains what you intend to export. If you are uncomfortable with a bundled script reading/writing files in your home directory, do not install or run the migration step.

Like a lobster shell, security has layers — review code before you run it.

latestvk97adhprk2ky4brnjxjwq47xxs80aa0h
2kdownloads
0stars
1versions
Updated 18h ago
v1.0.0
MIT-0
Kim Seong Uk@pangin
latest
Download

Confluence Cloud REST API v2

Use this skill to call Confluence Cloud REST API v2 endpoints directly. Supports all v2 groups (pages, spaces, folders, whiteboards, databases, embeds, comments, labels, properties, tasks, etc.).

Quick Start

  1. Configure credentials (one of):
  • Basic: email + API token
  • OAuth: access token
  1. Call endpoints using scripts in scripts/.

Config

Set these env vars (preferred) or store in a local config file:

CONFLUENCE_BASE_URL=https://pangin.atlassian.net/wiki
CONFLUENCE_AUTH_METHOD=basic   # basic | oauth
CONFLUENCE_EMAIL=chrono3412@gmail.com
CONFLUENCE_API_TOKEN=YOUR_TOKEN
# or for OAuth
# CONFLUENCE_OAUTH_TOKEN=YOUR_OAUTH_ACCESS_TOKEN

# Optional admin key header (Premium/Enterprise only)
# CONFLUENCE_ADMIN_KEY=true

Base URL is always https://<site>.atlassian.net/wiki.

Core Helpers

  • scripts/client.js — HTTP client wrapper, auth header, pagination
  • scripts/* — endpoint groups (pages, spaces, folders, etc.)

Example

# list everything
node scripts/spaces.js list --all
node scripts/pages.js list --all
node scripts/labels.js list --all

# get single items
node scripts/pages.js get 89522178
node scripts/folders.js direct-children 87457793

# ad-hoc call
node scripts/call.js GET /folders/87457793/direct-children

Migration from confluence-cli

If ~/.confluence-cli/config.json exists, map:

  • domainCONFLUENCE_BASE_URL (https://{domain}/wiki)
  • emailCONFLUENCE_EMAIL
  • tokenCONFLUENCE_API_TOKEN

References

  • OpenAPI spec: refs/openapi-v2.v3.json
  • Endpoints list: refs/endpoints.md
  • Scopes: refs/scopes.md
  • Tests: refs/tests.md
  • Usage tips: refs/usage.md

Comments

Loading comments...