by 安全扫描
OpenClaw
可疑
high confidenceThe skill's code behaves like a Jira CLI and requires Jira credentials and common CLI tools, but the registry metadata claims no required environment variables/binaries — the capability is coherent with Jira usage but the metadata mismatch is concerning and worth verifying before install.
评估建议
This skill's code does what its description says (talks to your Jira Cloud instance) and needs your Jira URL, email, and API token plus CLI tools (curl, jq, bc, python3). The registry metadata incorrectly lists no credentials/binaries — treat that as a red flag. Before installing: 1) Confirm the skill's source/author since homepage/source are missing. 2) Inspect the entire script (the provided file was truncated) for any hidden network endpoints or unexpected commands. 3) Only provide JIRA_API_T...详细分析 ▾
⚠ 用途与能力
The script and SKILL.md clearly require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN and binaries (curl, jq, bc, python3). The registry metadata provided with the skill however lists no required env vars or binaries. Functionally the code matches the stated purpose (Jira worklog/issue operations), but the metadata omission is an inconsistency that could mislead users about what credentials/tools are needed.
✓ 指令范围
The SKILL.md instructs the agent to call the Jira Cloud REST API and to run the included scripts. The scripts only reference Jira API endpoints (constructed from JIRA_URL) and use the declared credentials; there are no instructions to read unrelated system files or send data to unexpected external endpoints in the visible portion.
✓ 安装机制
This is an instruction-only skill with a shell script included and no install spec. Nothing is being downloaded or written by an installer; risk from installer mechanisms is low.
⚠ 凭证需求
The environment variables requested by the script (JIRA_URL, JIRA_EMAIL, JIRA_API_TOKEN, optional JIRA_BOARD) are appropriate and proportionate for Jira API access. The concern is that the registry metadata did not declare these required credentials — a discrepancy that could cause users to accidentally expose tokens or run the skill without realizing it needs secrets. No other unrelated secrets are requested.
✓ 持久化与权限
The skill does not request always:true and does not attempt to modify other skills or system-wide settings. It runs as a CLI wrapper and does not permanently persist extra privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/21
Initial release of the Jira skill. - Manage Jira issues, transitions, and worklogs via the Jira Cloud REST API. - Includes commands for searching, status changes, assignment, comments, creation, and logging work. - Provides worklog summaries and JSON-export for tracked hours. - Supports filtering by project, user, day, and issue. - Requires `curl`, `jq`, `bc`, and `python3`; environment variables for Jira Cloud credentials.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install jirametric
镜像加速npx clawhub@latest install jirametric --registry https://cn.clawhub-mirror.com
技能文档
---
name: jira
description: Manage Jira issues, transitions, and worklogs via the Jira Cloud REST API.
homepage: https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/
metadata:
{
"clawdbot":
{
"emoji": "🧭",
"requires":
{
"bins": ["curl", "jq", "bc", "python3"],
"env": ["JIRA_URL", "JIRA_EMAIL", "JIRA_API_TOKEN"],
"optional_env": ["JIRA_BOARD"]
},
},
}
# Jira Skill
Work with Jira issues and worklogs from Clawdbot (search, status, create, log work, worklog summaries).
Setup
- Get your API key: https://id.atlassian.com/manage-profile/security/api-tokens
- Click "Create API Token"
- Set environment variables:
Requires curl, jq, bc, and python3.Quick Commands
All commands live in {baseDir}/scripts/jira.sh.
{baseDir}/scripts/jira.sh search "timeout" [max] — fuzzy search by summary or key inside JIRA_BOARD{baseDir}/scripts/jira.sh link ABC-123 — browser link for an issue{baseDir}/scripts/jira.sh issue ABC-123 — quick issue details{baseDir}/scripts/jira.sh status ABC-123 "In Progress" — move an issue (validates available transitions){baseDir}/scripts/jira.sh transitions ABC-123 — list allowed transitions{baseDir}/scripts/jira.sh assign ABC-123 "name or email" — assign by user search{baseDir}/scripts/jira.sh assign-me ABC-123 — assign to yourself{baseDir}/scripts/jira.sh comment ABC-123 "text" — add a comment{baseDir}/scripts/jira.sh create "Title" ["Description"] — create a Task in JIRA_BOARD{baseDir}/scripts/jira.sh log ABC-123 2.5 [YYYY-MM-DD] — log hours (defaults to today UTC){baseDir}/scripts/jira.sh my [max] — open issues assigned to you{baseDir}/scripts/jira.sh hours 2025-01-01 2025-01-07 — your logged hours by issue (JSON){baseDir}/scripts/jira.sh hours-day 2025-01-07 [name|email] — logged hours for a day grouped by user/issue; optional filter (name/email; also resolves to accountId){baseDir}/scripts/jira.sh hours-issue ABC-123 [name|email] — logged hours for an issue; optional filter (name/email; also resolves to accountId)
Command Reference
- Search issues
- Issue link
- Issue details
- Update status
- List transitions
- Assign issue
- Assign to yourself
- Add comment
- Create issue
- Log hours
- My open issues
- Logged hours by issue (me)
- Logged hours for a day (everyone)
- Logged hours for a day (user filter)
- Logged hours for an issue
Notes
- Worklog commands use Jira's worklog/updated + worklog/list combo and may take a few seconds on large projects.
filters by JIRA_EMAIL; hours-day` returns all users with totals per issue and user.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制