ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jira Metric

v1.0.0

Retrieve and analyze Jira worklog metrics by user, issue, or date ranges through Jira Cloud REST API calls.

0· 540·0 current·0 all-time
bywhz@weihezhai·duplicate of @weihezhai/jira-metrics
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The script and SKILL.md clearly require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN and binaries (curl, jq, bc, python3). The registry metadata provided with the skill however lists no required env vars or binaries. Functionally the code matches the stated purpose (Jira worklog/issue operations), but the metadata omission is an inconsistency that could mislead users about what credentials/tools are needed.
Instruction Scope
The SKILL.md instructs the agent to call the Jira Cloud REST API and to run the included scripts. The scripts only reference Jira API endpoints (constructed from JIRA_URL) and use the declared credentials; there are no instructions to read unrelated system files or send data to unexpected external endpoints in the visible portion.
Install Mechanism
This is an instruction-only skill with a shell script included and no install spec. Nothing is being downloaded or written by an installer; risk from installer mechanisms is low.
!
Credentials
The environment variables requested by the script (JIRA_URL, JIRA_EMAIL, JIRA_API_TOKEN, optional JIRA_BOARD) are appropriate and proportionate for Jira API access. The concern is that the registry metadata did not declare these required credentials — a discrepancy that could cause users to accidentally expose tokens or run the skill without realizing it needs secrets. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It runs as a CLI wrapper and does not permanently persist extra privileges.
What to consider before installing
This skill's code does what its description says (talks to your Jira Cloud instance) and needs your Jira URL, email, and API token plus CLI tools (curl, jq, bc, python3). The registry metadata incorrectly lists no credentials/binaries — treat that as a red flag. Before installing: 1) Confirm the skill's source/author since homepage/source are missing. 2) Inspect the entire script (the provided file was truncated) for any hidden network endpoints or unexpected commands. 3) Only provide JIRA_API_TOKEN and other secrets in a secure, least-privilege account (not a high-privilege admin token) and consider scoping tokens. 4) Run it in an isolated environment (sandbox/container) first. 5) If the publisher can correct the registry metadata to explicitly list required env vars and binaries, that would remove the primary inconsistency and increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dnpfqyysxs8s2q2962z7zs581jdae

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments