ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Snowsand Bitbucket

Interact with Bitbucket Cloud via REST API. Use for repository management, pull request operations (list, view, create, comment, approve, merge), branch mana...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 31 · 0 current installs · 0 all-time installs
by@snowsand-enterprises
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name, description, SKILL.md, references/api.md, and scripts/bitbucket.py are consistent with a Bitbucket Cloud integration. However the registry metadata claims 'Required env vars: none' while both SKILL.md and scripts/bitbucket.py require BITBUCKET_USERNAME and BITBUCKET_APP_PASSWORD (and optionally BITBUCKET_WORKSPACE). That metadata omission is an incoherence.
Instruction Scope
The SKILL.md instructions and the CLI script confine activity to Bitbucket Cloud REST API calls. The runtime instructions and code only reference environment variables for authentication and the Bitbucket API endpoints; they do not instruct reading unrelated system files or sending data to unexpected external endpoints.
Install Mechanism
This is an instruction-only skill with an included Python script; there is no install spec, no downloads, and no archive extraction. Nothing in the manifest indicates code will be pulled from arbitrary URLs or installed system-wide.
!
Credentials
The script requires BITBUCKET_USERNAME and BITBUCKET_APP_PASSWORD and SKILL.md also recommends BITBUCKET_WORKSPACE. Those credentials are appropriate for Bitbucket API access, but the App Password needs Write permissions for repositories and pull requests to support create/merge/delete actions — granting such an App Password is powerful (can modify/delete repositories, merge PRs, trigger pipelines). The registry failing to declare these env vars is a mismatch that reduces transparency.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence or modify other skills. It only uses environment variables for auth and performs API calls; autonomous invocation is allowed by default but not excessive given the skill purpose.
What to consider before installing
This skill appears to be a legitimate Bitbucket Cloud CLI, but there are two issues to consider before installing: (1) the registry metadata does not list the required environment variables, yet the code requires BITBUCKET_USERNAME and BITBUCKET_APP_PASSWORD (and optionally BITBUCKET_WORKSPACE). Ask the publisher to correct the metadata so you know what will be requested. (2) The App Password requested needs repository and pull-request write permissions to perform create/merge/delete operations — that is powerful. Only provide an App Password with the minimal scopes you need (use read-only for listing operations), rotate and restrict the password to a dedicated service account, and test in a non-production workspace first. Also note the package has no homepage or known owner listed; prefer skills with a verifiable source or repository when possible.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975vvmnczwtp6mrc9n1w4t9v982y90g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Bitbucket Cloud Integration

Bitbucket Cloud REST API v2 integration for repository management, pull requests, branches, commits, and pipelines.

Authentication

Bitbucket Cloud uses App Password authentication. Required environment variables:

Create an App Password with required permissions:

  • Repositories: Read, Write (for repo operations)
  • Pull requests: Read, Write (for PR operations)
  • Pipelines: Read (for pipeline status)
  • Account: Read (for user info)

Test connection:

curl -s -u "$BITBUCKET_USERNAME:$BITBUCKET_APP_PASSWORD" \
  "https://api.bitbucket.org/2.0/user" | jq .

Quick Reference

All operations use the scripts/bitbucket.py script:

OperationCommand
Repositories
List reposbitbucket.py repos
View repobitbucket.py repo my-repo
Create repobitbucket.py create-repo my-new-repo --private
Pull Requests
List PRsbitbucket.py prs my-repo
View PRbitbucket.py pr my-repo 42
Create PRbitbucket.py create-pr my-repo --title "Feature" --source feature-branch
Comment on PRbitbucket.py pr-comment my-repo 42 "LGTM!"
Approve PRbitbucket.py approve my-repo 42
Merge PRbitbucket.py merge my-repo 42
Decline PRbitbucket.py decline my-repo 42
Branches
List branchesbitbucket.py branches my-repo
View branchbitbucket.py branch my-repo main
Create branchbitbucket.py create-branch my-repo feature-x --from main
Delete branchbitbucket.py delete-branch my-repo old-feature
Commits
List commitsbitbucket.py commits my-repo
View commitbitbucket.py commit my-repo abc123
Pipelines
List pipelinesbitbucket.py pipelines my-repo
View pipelinebitbucket.py pipeline my-repo {uuid}
Pipeline stepsbitbucket.py pipeline-steps my-repo {uuid}
Workspace
List workspacesbitbucket.py workspaces
Workspace membersbitbucket.py members
Current userbitbucket.py me

Common Workflows

Repository Management

# List all repositories in workspace
bitbucket.py repos

# List with pagination
bitbucket.py repos --page 2 --pagelen 25

# View specific repository details
bitbucket.py repo my-repo

# Create a new private repository
bitbucket.py create-repo my-new-repo --private --description "Project description"

# Create public repository with specific project
bitbucket.py create-repo my-public-repo --project PROJ

Pull Request Workflow

# List open pull requests
bitbucket.py prs my-repo

# List all PRs (including merged/declined)
bitbucket.py prs my-repo --state all

# View PR details
bitbucket.py pr my-repo 42

# Create a pull request
bitbucket.py create-pr my-repo \
  --title "Add new feature" \
  --source feature-branch \
  --destination main \
  --description "This PR adds..."

# Add a comment
bitbucket.py pr-comment my-repo 42 "Looks good, just one question..."

# Approve the PR
bitbucket.py approve my-repo 42

# Unapprove (remove approval)
bitbucket.py unapprove my-repo 42

# Request changes
bitbucket.py request-changes my-repo 42

# Merge with default strategy
bitbucket.py merge my-repo 42

# Merge with specific strategy
bitbucket.py merge my-repo 42 --strategy squash

# Decline a PR
bitbucket.py decline my-repo 42

Branch Operations

# List all branches
bitbucket.py branches my-repo

# View branch details
bitbucket.py branch my-repo feature-x

# Create branch from main
bitbucket.py create-branch my-repo feature-y --from main

# Create branch from specific commit
bitbucket.py create-branch my-repo hotfix-1 --from abc123def

# Delete a branch (cannot delete main branch)
bitbucket.py delete-branch my-repo old-feature

Commit History

# List recent commits (default branch)
bitbucket.py commits my-repo

# Commits on specific branch
bitbucket.py commits my-repo --branch feature-x

# Limit results
bitbucket.py commits my-repo --pagelen 10

# View specific commit
bitbucket.py commit my-repo abc123def456

Pipeline Status

# List recent pipelines
bitbucket.py pipelines my-repo

# Filter by status
bitbucket.py pipelines my-repo --status SUCCESSFUL
bitbucket.py pipelines my-repo --status FAILED

# View pipeline details
bitbucket.py pipeline my-repo '{pipeline-uuid}'

# View pipeline steps
bitbucket.py pipeline-steps my-repo '{pipeline-uuid}'

# Trigger a pipeline
bitbucket.py run-pipeline my-repo --branch main

Workspace and User Info

# List accessible workspaces
bitbucket.py workspaces

# List workspace members
bitbucket.py members

# Get current user info
bitbucket.py me

Merge Strategies

When merging PRs, available strategies are:

StrategyDescription
merge_commitCreate a merge commit (default)
squashSquash all commits into one
fast_forwardFast-forward if possible

Pipeline States

StateDescription
PENDINGWaiting to start
IN_PROGRESSCurrently running
SUCCESSFULCompleted successfully
FAILEDCompleted with failures
STOPPEDManually stopped

Error Handling

Common errors:

  • 401 Unauthorized: Check BITBUCKET_USERNAME and BITBUCKET_APP_PASSWORD
  • 403 Forbidden: App password lacks required permissions
  • 404 Not Found: Repository, PR, or branch doesn't exist
  • 400 Bad Request: Invalid parameters or branch name

Raw API Access

For operations not covered by the script:

# GET request
curl -s -u "$BITBUCKET_USERNAME:$BITBUCKET_APP_PASSWORD" \
  "https://api.bitbucket.org/2.0/repositories/$BITBUCKET_WORKSPACE/my-repo" | jq .

# POST request
curl -s -X POST -u "$BITBUCKET_USERNAME:$BITBUCKET_APP_PASSWORD" \
  -H "Content-Type: application/json" \
  -d '{"content": {"raw": "Comment text"}}' \
  "https://api.bitbucket.org/2.0/repositories/$BITBUCKET_WORKSPACE/my-repo/pullrequests/42/comments" | jq .

API docs: https://developer.atlassian.com/cloud/bitbucket/rest/

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…