Jira REST API v3 Commons
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Jira helper, but it requires real shell/API calls that can change or delete Jira data without an explicit confirmation or rollback guard.
Install only if you want the agent to perform real Jira actions from your machine. Use a least-privilege Jira token, verify the Atlassian base URL, require explicit confirmation before any write/delete operation, and review generated shell commands for secrets or unintended changes.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent interprets a task as Jira work, it may directly modify shared Jira data such as issues, comments, worklogs, transitions, or sprint membership.
The skill combines broad Jira mutation capabilities with mandatory execution of live API calls, but the artifacts do not require confirmation for POST/PUT/DELETE or other state-changing operations.
Use this skill to ... create issues ... manage comments (list, add, update, delete) ... log time (worklogs) ... work with boards, backlog, and sprints ... You MUST ... execute a real CLI HTTP call
Use this only with explicit user approval for write/delete actions, prefer read-only or least-privilege Jira tokens where possible, and add a confirmation/dry-run step before mutating Jira.
A token with broad Jira permissions could allow the agent to read or change more Jira projects and issues than intended.
The skill needs Jira API credentials, which is expected for its purpose, but those credentials grant the agent whatever Jira permissions the account or token has.
`ATREST_JIRA_API_TOKEN` ... Required when `ATREST_JIRA_AUTH_MODE=basic`; `ATREST_JIRA_BEARER_TOKEN` ... Required when `ATREST_JIRA_AUTH_MODE=bearer`
Provide a scoped Jira account or token, restrict project permissions, keep tokens out of logs, and rotate the token if it may have been exposed.
Incorrectly formed commands, unsafe local environment values, or temporary files could expose issue content or cause unintended requests.
Shell execution is the documented transport mechanism. It is purpose-aligned, but it means local commands will run and request bodies may be written to temporary files.
For every Jira command, execute the request through the OS shell. ... If the environment is Linux, prefer `curl`. If the environment is Windows, prefer ... `curl.exe` or PowerShell `Invoke-RestMethod`.
Review generated commands before execution, ensure environment variables are trusted, avoid printing secrets, and clean up temporary JSON files that contain sensitive Jira content.
Users have less external context for who maintains the skill or how to validate updates.
There is no executable install payload, which limits supply-chain risk, but provenance is not verifiable from the supplied metadata.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the SKILL.md contents before use and prefer installing from a trusted, auditable source when granting Jira write access.