ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jira API (REST + Agile)

v0.1.0

Automate Jira Cloud by managing worklogs, executing advanced JQL searches, editing/deleting worklogs, handling sprints, and making direct REST API calls.

0· 124·0 current·0 all-time
byCésar@temperatio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's code and documentation align with its stated purpose (Jira Cloud REST operations: JQL, worklogs, sprints, raw REST). However, the registry metadata claims 'Required config paths: none' while the included script explicitly reads ~/.config/.jira/.config.yml and ~/.netrc to obtain the Jira server, login and API token — a mismatch between declared requirements and actual behavior.
Instruction Scope
SKILL.md instructs the agent to use the script for Jira REST calls and explicitly tells users to authenticate via ~/.netrc and to avoid pasting tokens in chat. The instructions stay within the Jira automation scope and do not request unrelated system data or external endpoints.
Install Mechanism
There is no install spec (instruction-only + bundled script). That is low-risk in that nothing is automatically downloaded or executed from remote sources. The included Python script has no external dependencies and will run locally.
!
Credentials
The skill accesses local credential/config files (~/.netrc and ~/.config/.jira/.config.yml) to read your Jira token and server. Access to those files is proportionate to the stated Jira automation purpose, but the metadata did not declare these required config paths or a primary credential — an important omission. The script does not require unrelated environment variables, and there is no evidence it requests unrelated credentials.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and does not modify other skills' configuration. It will act only when invoked.
What to consider before installing
This skill is coherent with Jira automation and the Python script implements expected REST calls. However, before installing or running it note that: - The script reads your Jira server/login from ~/.config/.jira/.config.yml and your API token from ~/.netrc. The registry metadata incorrectly states no required config paths — verify and be comfortable with these file accesses. - Use a dedicated Atlassian API token with minimal permissions (not your main account password). Consider creating a token specifically for automation and revoke it if you stop using the skill. - Review the script yourself (it is included) to confirm it only talks to your Jira host and does not transmit data elsewhere — static review shows it uses urllib to contact the server from the config and contains no obfuscated/external download behavior. - For destructive operations (delete/update worklogs) follow the documented human-confirm process and consider testing read-only commands first. - If you want stronger isolation, run the script in a constrained environment (throwaway account, container, or VM) so its access to your real ~/.netrc and Jira is limited.

Like a lobster shell, security has layers — review code before you run it.

latestvk975w5wyasy9fzn3gw244ydcsh832h2k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments