Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jira
v1.0.0Manage Jira issues and worklogs via REST API: search, view, create, comment, assign, transition status, and log or report work hours.
⭐ 0· 482·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (Jira issue & worklog management) match the script's behavior: the script calls Jira Cloud REST endpoints to search, create, transition, assign, and log work. However, the registry metadata claims no required environment variables or primary credential while the SKILL.md and scripts clearly require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN. That discrepancy is incoherent and could lead to the agent not prompting for needed credentials or to user confusion.
Instruction Scope
The SKILL.md instructions and the script stay within the stated purpose: they instruct the user to set Jira credentials and then perform API calls against the JIRA_URL. The runtime behavior (curl/jq calls to Jira endpoints, worklog aggregation) is consistent with the documented commands. No instructions attempt to read unrelated host files or send data to unexpected external endpoints beyond the configured JIRA_URL, but you should verify the JIRA_URL value before use.
Install Mechanism
There is no install spec — the skill is instruction-plus-script only. The included scripts/jira.sh is present in the bundle (no external downloads or extract steps). This is low risk from an install mechanism perspective.
Credentials
The script legitimately needs JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN (basic auth to Jira). That is proportionate to the described functionality — but the registry metadata omitting these required env vars is a red flag: it contradicts the actual credential needs and may cause the platform not to ask for or protect the required secrets. Also note that the skill expects a full API token (sensitive) and will send it (base64 Basic auth) to whatever JIRA_URL is set; ensure you only set a trusted Atlassian URL and scope tokens with least privilege.
Persistence & Privilege
The skill is not always-enabled and is user-invocable; it does not request system-wide config paths or attempt to modify other skills. There is no evidence it requests elevated or persistent system privileges.
What to consider before installing
What to check before installing or using this skill:
- The main practical issue: the registry metadata claims no required credentials, but the SKILL.md and scripts require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN. Do not provide credentials unless you confirm where and how the platform will store and protect them.
- Inspect scripts/jira.sh yourself (it is included) to confirm there are no hidden endpoints. The script makes direct API calls only to the configured JIRA_URL — make sure you set that to your Atlassian instance (https://your-domain.atlassian.net) and not an attacker-controlled host.
- Use a least-privilege API token for automation, and consider creating a service account rather than using a personal admin token.
- Be aware the script uses Basic auth (email:api_token base64) in requests; anyone who can read environment variables or logs on the host could exfiltrate the token. Ensure your environment protects env vars and avoids logging sensitive headers.
- If the platform does not prompt for the required env vars (because metadata omitted them), manually ensure you set them only in a secure credential store and verify the skill reads them from that store rather than from an unprotected shell.
- If anything about the included script differs from SKILL.md at install time, treat that as a serious red flag and do not proceed until reconciled.Like a lobster shell, security has layers — review code before you run it.
latestvk972a4fxyefv6vdeewb5679sfx81k6fj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.