Jira
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent Jira helper, but it uses a Jira API token and can change Jira issues and worklogs, so users should install it only with appropriate account permissions.
Before installing, confirm you are comfortable giving this skill a Jira API token that can read and modify Jira data. Use the narrowest practical Jira permissions, set JIRA_BOARD when possible, and manually verify issue keys, assignees, status transitions, comments, and worklog entries before write commands are run.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could change Jira tickets or timesheets in ways visible to the team.
The skill exposes Jira write operations that can alter workflow state, ownership, comments, created issues, and worklogs. This is purpose-aligned and disclosed, but these actions can materially affect business records.
`status ABC-123 "In Progress"` — move an issue ... `assign ABC-123` ... `comment ABC-123` ... `create "Title"` ... `log ABC-123 2.5`
Use clear user instructions for write actions, review issue keys and worklog values before running them, and consider limiting the Jira account or project permissions used with this skill.
The skill can read or modify Jira data that the configured account can access.
The script authenticates to Jira using the user's email and API token. That is expected for Jira Cloud, but it delegates the user's Jira permissions to the skill.
AUTH_HEADER="Authorization: Basic $(printf '%s:%s' "$JIRA_EMAIL" "$JIRA_API_TOKEN" | base64)"
Use a token/account with the least Jira permissions needed, avoid sharing the token, and revoke or rotate it if no longer needed.
A user relying only on registry metadata may not realize before reading the skill instructions that it needs a Jira API token and local command-line tools.
Registry-level metadata does not advertise the required Jira credentials, binaries, or capabilities, even though SKILL.md documents them. This looks like under-declared metadata rather than hidden behavior.
Source: unknown ... Required env vars: none ... Primary credential: none ... Capability signals: No capability tags were derived.
Review SKILL.md before setup and prefer registry metadata that accurately declares required binaries, environment variables, and credential use.