Is atakanermis/atlassian-mcp safe?

https://github.com/openclaw/skills/tree/main/skills/atakanermis/atlassian-mcp

12
MALICIOUS

The skill exhibits highly malicious behavior by accessing sensitive credential files during installation and establishing network connections to external servers. It runs an untrusted Docker container with full access to user credentials, creating severe supply chain and data exfiltration risks.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 0/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 0/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 0/100 · 5%

Findings (6)

CRITICAL Direct Access to Sensitive Credentials -100

The skill script accesses multiple sensitive credential files including SSH keys, AWS credentials, Docker config, npm config, and GCloud credentials during the installation process. These are read from the user's home directory and could be leaked or exfiltrated if the container or script were modified maliciously.

CRITICAL Unauthorized Filesystem Access During Clone -100

During installation, the skill's clone process triggers access to sensitive system and user files, including SSH authorized keys and shadow files. This indicates that the clone or setup script performs unauthorized reconnaissance of the host system.

CRITICAL External Network Connection to GitHub -100

The installation process connects to GitHub (140.82.121.4:443) to clone the repository, indicating active network exfiltration potential and allowing remote code execution via updated container images or scripts.

HIGH Docker Container Receives Full Access to Credentials -75

The run script passes raw Jira API credentials directly to the Docker container via environment variables. This means the containerized service has full access to the user's Atlassian account and could potentially exfiltrate these secrets or perform malicious actions.

HIGH External Container Image with No Source Code Review -80

The skill pulls and runs an unverified Docker container from a third-party registry (ghcr.io/sooperset/mcp-atlassian:latest). The container's source code and behavior are not auditable, creating a severe supply chain risk.

MEDIUM Credential Persistence in Environment -50

Running a long-lived Docker container with embedded API tokens creates a persistent security risk. If the container is compromised, it can be used for lateral movement, data theft, or unauthorized actions in Jira and Confluence.