Jira REST API v3 Commons
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: jira-rest-v3 Version: 1.1.0 The skill bundle provides a comprehensive and well-documented integration for managing Jira Cloud via its REST API. It includes robust templates for Linux and Windows, emphasizing security practices like credential protection, input encoding, and the use of temporary files for JSON payloads to mitigate shell injection risks in files like SKILL.md and refs/cli-rest-quickref.md. All high-risk capabilities, such as shell execution and network access, are clearly aligned with the stated purpose of the skill and include appropriate safety guidelines, such as requiring explicit user confirmation for destructive actions.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent interprets a task as Jira work, it may directly modify shared Jira data such as issues, comments, worklogs, transitions, or sprint membership.
The skill combines broad Jira mutation capabilities with mandatory execution of live API calls, but the artifacts do not require confirmation for POST/PUT/DELETE or other state-changing operations.
Use this skill to ... create issues ... manage comments (list, add, update, delete) ... log time (worklogs) ... work with boards, backlog, and sprints ... You MUST ... execute a real CLI HTTP call
Use this only with explicit user approval for write/delete actions, prefer read-only or least-privilege Jira tokens where possible, and add a confirmation/dry-run step before mutating Jira.
A token with broad Jira permissions could allow the agent to read or change more Jira projects and issues than intended.
The skill needs Jira API credentials, which is expected for its purpose, but those credentials grant the agent whatever Jira permissions the account or token has.
`ATREST_JIRA_API_TOKEN` ... Required when `ATREST_JIRA_AUTH_MODE=basic`; `ATREST_JIRA_BEARER_TOKEN` ... Required when `ATREST_JIRA_AUTH_MODE=bearer`
Provide a scoped Jira account or token, restrict project permissions, keep tokens out of logs, and rotate the token if it may have been exposed.
Incorrectly formed commands, unsafe local environment values, or temporary files could expose issue content or cause unintended requests.
Shell execution is the documented transport mechanism. It is purpose-aligned, but it means local commands will run and request bodies may be written to temporary files.
For every Jira command, execute the request through the OS shell. ... If the environment is Linux, prefer `curl`. If the environment is Windows, prefer ... `curl.exe` or PowerShell `Invoke-RestMethod`.
Review generated commands before execution, ensure environment variables are trusted, avoid printing secrets, and clean up temporary JSON files that contain sensitive Jira content.
Users have less external context for who maintains the skill or how to validate updates.
There is no executable install payload, which limits supply-chain risk, but provenance is not verifiable from the supplied metadata.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the SKILL.md contents before use and prefer installing from a trusted, auditable source when granting Jira write access.