Is arkiant/jiraandconfluence-skill safe?

https://github.com/openclaw/skills/tree/main/skills/arkiant/jiraandconfluence-skill

93
SAFE

This is a legitimate Jira and Confluence integration skill that provides basic API wrapper functionality through shell scripts. The skill contains no malicious code and exhibits clean installation behavior with no data exfiltration attempts.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (4)

MEDIUM Placeholder domain in API scripts -5

The shell scripts contain placeholder domain 'your-domain.atlassian.net' which would need to be modified for actual use, potentially causing configuration issues

LOW Executable shell scripts present -15

The skill contains executable shell scripts that make API calls and source other scripts, which poses some execution risk

LOW API token exposure in process lists -10

API tokens are passed directly to curl commands, which may expose them in process lists during execution

LOW Missing input validation -5

Shell scripts accept user input without validation, which could potentially lead to command injection if not handled properly by the calling system