Snowsand Jira
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: snowsand-jira Version: 1.0.0 The snowsand-jira skill is a standard integration for interacting with Jira Cloud via its REST API. The core logic in scripts/jira.py uses the Python standard library to perform legitimate issue tracking and project management tasks, with authentication handled securely through environment variables. No evidence of data exfiltration, malicious execution, or prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent misunderstands a request or acts too broadly, it could change Jira tickets, statuses, comments, or worklogs under the user's account.
The skill explicitly enables an agent to create, update, transition, comment on, and log work against Jira issues, which can affect business workflow data. The artifacts do not describe confirmation, preview, project restrictions, or rollback guidance before these mutating actions.
| Create issue | `jira.py create PROJ --type Task --summary "Title" --description "Body"` | ... | Update issue | `jira.py update PROJ-123 --summary "New title"` | ... | Transition | `jira.py transition PROJ-123 "In Progress"` | ... | Log work | `jira.py worklog PROJ-123 --time "2h 30m" --comment "Work done"` |
Require explicit user confirmation for create, update, transition, comment, worklog, and other write operations; restrict use to intended projects or issue keys; and show a preview before making changes.
The agent could use the raw Jira API to perform operations beyond the documented helper commands, limited mainly by the user's Jira account permissions.
The skill provides an escape-hatch pattern for direct Jira REST API calls using the user's token. This is purpose-related, but it bypasses the script's narrower command set and does not define limits on what endpoints or write operations the agent may use.
## Raw API Access For operations not covered by the script: ```bash # GET request curl -s -u "$JIRA_USER_EMAIL:$JIRA_API_TOKEN" ... # POST request curl -s -X POST -u "$JIRA_USER_EMAIL:$JIRA_API_TOKEN" ... ```
Prefer scoped helper commands over raw API calls, and require explicit user approval plus endpoint/body review before any raw POST, PUT, DELETE, or other mutating REST request.
Installing users may not realize from the registry metadata that the skill needs a Jira API token and can act with that account's Jira permissions.
The skill clearly requires Jira account credentials, but the registry metadata says there are no required env vars and no primary credential. This looks like an under-declared credential contract rather than hidden credential use.
Jira Cloud uses API token authentication. Required environment variables: - `JIRA_BASE_URL` - `JIRA_USER_EMAIL` - `JIRA_API_TOKEN`
Declare the required Jira environment variables and primary credential in metadata, and advise users to use a least-privilege Jira token or account where possible.