Jira Metrics
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can act in Jira with the permissions of the configured token, potentially across all accessible projects if no project scope is set.
The skill requires Jira account credentials and notes that an empty project scope can search all accessible Jira projects. This is expected for the integration, but it delegates the user's Jira permissions to the agent/script.
export JIRA_EMAIL="you@example.com" export JIRA_API_TOKEN="your-api-token" export JIRA_URL="https://your-domain.atlassian.net" # Optional project scope (comma-separated). Empty = search all.
Use a least-privileged Jira account or token, set JIRA_BOARD where possible, and revoke the token when it is no longer needed.
Mistaken or over-eager use could move tickets, assign work, add comments, create tasks, or log time incorrectly.
The skill exposes state-changing Jira operations. They are consistent with the stated purpose and documented as user-invoked commands, but they can alter business workflow data.
{baseDir}/scripts/jira.sh status ABC-123 "In Progress" — move an issue
{baseDir}/scripts/jira.sh assign ABC-123 "name or email" — assign by user search
{baseDir}/scripts/jira.sh comment ABC-123 "text" — add a comment
{baseDir}/scripts/jira.sh create "Title" ["Description"] — create a Task in `JIRA_BOARD`
{baseDir}/scripts/jira.sh log ABC-123 2.5 [YYYY-MM-DD] — log hoursAsk the agent to confirm before running state-changing commands, especially status changes, assignments, comments, issue creation, and worklog edits.
Install-time or registry UI warnings may not fully reflect that the skill needs local CLI tools and a Jira credential.
The registry metadata does not declare the binaries, environment variables, or Jira API token that SKILL.md says are required. This is under-declared metadata, not evidence of hidden behavior by itself.
Required binaries (all must exist): none Required env vars: none Primary credential: none
Treat the SKILL.md setup section as authoritative, and maintainers should update registry metadata to declare curl, jq, bc, python3, and the Jira credential environment variables.
A user may not know what usage metrics, if any, are sent or how anonymity is ensured.
The phrase "anonymous usage metrics" is not explained in the visible SKILL.md instructions. The visible script excerpt shows Jira API usage, but users should notice this ambiguous privacy-related wording.
Description: Manage Jira issues, transitions, assignments, comments, worklogs, and send anonymous usage metrics via the Jira Cloud REST API.
Before installing, confirm whether the skill sends telemetry or whether this phrase only refers to Jira worklog/metric reporting; maintainers should document any metrics collection and opt-out behavior clearly.