ClawHub

Jira Task Creator

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Jira helper that uses a user-provided Jira token to create issues and search users on the configured Jira server.

Install only if you are comfortable giving this skill a Jira bearer token. Use a least-privilege token limited to the intended Jira site and projects, review issue details before calling create_issue, and do not rely on the advertised batch or analytics features unless you obtain and inspect their source.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly promotes CSV-based bulk issue creation but does not document any guardrails such as preview, confirmation, rate limiting, scope restriction, or dry-run behavior. In an agent context, this can lead to accidental or prompt-induced mass creation of Jira issues, causing project data pollution, workflow disruption, and operational noise at scale.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The function transmits user-provided summary, description, assignee, priority, and due date to an external Jira server without any built-in disclosure, confirmation, or consent boundary. In an agent setting, this can cause unintended data exfiltration to third-party infrastructure, especially if users are unaware that their input will be sent over the network.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The user search helper sends user-supplied names or email-like identifiers to Jira without notifying the user. In agent contexts, this can leak personal identifiers externally and may surprise users who did not intend directory lookup against a remote Jira instance.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal