Skillv2.1.0

ClawScan security

Jira Task Creator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 16, 2026, 10:41 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill appears to really be a Jira integration (needs a Jira URL and bearer token), but registry metadata and included files are inconsistent and several claimed features are missing — this looks like sloppy or incomplete packaging rather than clearly malicious code, so proceed with caution.
Guidance: This skill is plausibly a Jira integration, but there are several mismatches and omissions you should consider before installing: - Source unknown / homepage missing: prefer skills from known authors or repo links. Ask the publisher for a canonical source. - Required credentials: SKILL.md and the Python code require JIRA_BASE_URL and JIRA_BEARER_TOKEN, but registry metadata lists none. Treat the bearer token as sensitive — only use a token with the minimum required scope and consider creating an account/token for testing only. - Missing modules/features: the docs reference batch_creator, TaskAnalyzer, templates, and analytics, but those modules are not present. Expect the published package to be incomplete or rely on external components. Ask the author for the missing code or a complete release. - Secret handling risk: examples show embedding tokens in config.json and enabling file logging. Avoid putting bearer tokens into persistent files or logs unless you control and secure the storage. Prefer environment variables and ephemeral/test tokens. - Test in isolation: run the code in a sandbox or against a non-production Jira instance first to verify behavior and check logs/network calls. Inspect network traffic (hostname/IP) to ensure requests go to your Jira server only. If you decide to proceed, request clarifications or a canonical source (GitHub repo/release) and verify the package contents match the documentation and that required env vars are declared in registry metadata. If the author cannot clarify, treat this as untrusted/incomplete and avoid using production credentials.

Review Dimensions

Purpose & Capability: noteThe code and SKILL.md clearly target Jira (create issues, search users) and legitimately need JIRA_BASE_URL and JIRA_BEARER_TOKEN. That aligns with the stated purpose. However, the registry-level metadata at the top lists no required environment variables or primary credential, which contradicts the documentation and code.
Instruction Scope: concernSKILL.md describes many features (batch CSV import, BatchTaskCreator, TaskAnalyzer analytics, templates, Feishu-Jira mapping). The provided Python source implements NaturalLanguageParser, UserSearcher, create_issue, and search_user only. References to batch_creator and task_analyzer are present in docs/examples but those modules are not included — a capability mismatch that could confuse users or hide missing functionality.
Install Mechanism: noteThere is no formal install spec in the registry (instruction-only), but SKILL.md instructs users to pip install requests and python-dateutil. That is reasonable for a Python skill. The package.json also documents these dependencies. The inconsistency between 'no install spec' at registry-level and the README/package.json/SKILL.md is noteworthy but not itself high-risk.
Credentials: concernRequesting JIRA_BASE_URL and JIRA_BEARER_TOKEN is proportionate to a Jira integration. However the registry metadata did not declare these required env vars or a primary credential (contradiction). SKILL.md also shows an example config.json that could include bearerToken on disk; storing tokens in config files or logs (logging.saveToFile true / logDirectory) increases exposure risk if users follow examples carelessly.
Persistence & Privilege: okThe skill does not request always:true, does not declare system config paths, and does not modify other skills. Default autonomous invocation is allowed (platform default) but not combined here with other high-risk indicators.