Snowsand Bitbucket
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a straightforward Bitbucket API helper, but it can perform real write actions in your Bitbucket workspace and its credential requirements are under-declared in the metadata.
This skill looks purpose-aligned for Bitbucket Cloud administration. Before installing, create a dedicated least-privilege Bitbucket app password, be careful with merge/delete/trigger commands, and require explicit confirmation for any action that changes repositories, branches, pull requests, or pipelines.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could merge or decline pull requests, delete branches, create repositories, or trigger pipelines in a real Bitbucket workspace.
The skill exposes commands that can mutate repositories, pull requests, branches, and CI pipelines. These are coherent with a Bitbucket management skill, but they are high-impact actions that should be explicitly user-directed.
`bitbucket.py merge my-repo 42`, `bitbucket.py decline my-repo 42`, `bitbucket.py delete-branch my-repo old-feature`, `bitbucket.py run-pipeline my-repo --branch main`
Use clear prompts for write actions, confirm repository/PR/branch names before execution, and avoid giving the skill broader Bitbucket permissions than needed.
The app password can allow the agent to act as the user within the granted Bitbucket permissions.
The skill requires delegated Bitbucket credentials and recommends permissions that allow account and repository access. This is expected for the integration, but the registry metadata says no env vars or primary credential are required.
`BITBUCKET_USERNAME` and `BITBUCKET_APP_PASSWORD`; permissions include `Repositories: Read, Write`, `Pull requests: Read, Write`, `Pipelines: Read`, `Account: Read`
Create a dedicated Bitbucket app password with the minimum permissions needed, store it securely as environment variables, and revoke it when no longer needed.
Users have less external context for verifying who maintains the skill or comparing the included code to an upstream project.
The skill does not provide an upstream source or homepage for provenance, although the included script is visible and no external dependency installation is shown.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included script before use and prefer installing from sources with clear provenance when available.