Is jira-api safe?

https://clawhub.ai/byungkyu/jira-api

72
CAUTION

This Jira API skill is a markdown-only documentation skill with no executable code in the repository itself. However, it routes ALL Jira API traffic through a third-party proxy gateway (maton.ai) giving the gateway operator full visibility into user data and OAuth tokens. Filesystem monitoring during install showed access to sensitive files including .aws/credentials and .env, though no outbound network exfiltration was detected. The skill is functional but requires significant trust in the Maton third-party infrastructure.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 70/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH All traffic routed through third-party proxy gateway -30

Every Jira API call is proxied through gateway.maton.ai rather than going directly to api.atlassian.com. The gateway operator (Maton) has full visibility into all Jira data, search queries, issue content, and OAuth tokens. Users trust the gateway with complete read/write access to their Jira instance.

HIGH Sensitive file access during installation -15

Filesystem monitoring detected reads of .env, .aws/credentials, .profile, .bashrc, and multiple openclaw configuration files during the install phase. While some of these may be normal for the ClawdBot runtime environment, access to .aws/credentials is concerning.

MEDIUM Troubleshooting instructs echoing API key to stdout -15

The troubleshooting section contains 'echo $MATON_API_KEY' which would cause the agent to print the secret API key in its output. This could leak the key into conversation logs, other skill contexts, or screen output visible to observers.

MEDIUM Cross-skill promotion could chain attack surface -10

The skill description explicitly directs the agent to use another skill (api-gateway from the same author) for 'other third party apps'. This cross-promotion could lead to automatic installation or invocation of additional skills, expanding the attack surface.

MEDIUM Inline executable code blocks encourage agent code execution -7

The Quick Start and throughout the skill contain Python heredoc code blocks that the agent is implicitly expected to execute. While this is a common pattern for API skills, it means the agent will run arbitrary Python code from the skill's instructions.

MEDIUM Lock file and temp artifacts created during install -15

The installation process created a lock file at /tmp/openclaw-1000/gateway.e9191928.lock and multiple JIT compilation cache files under /tmp/jiti/. While likely from the ClawdBot runtime, the gateway lock file name suggests network gateway initialization during a supposedly offline install.

MEDIUM Credential relay risk — Maton as persistent OAuth broker -25

Users provide a MATON_API_KEY which grants Maton's gateway persistent delegated OAuth access to their Jira Cloud instance. If Maton's infrastructure is compromised, or if Maton acts maliciously, all connected Jira instances are exposed. Users cannot audit what the gateway does with their data.

LOW Connection management exposes session tokens in URLs -5

The Create Connection response includes a URL with a session_token query parameter. If the agent outputs this URL, the session token could be leaked.

INFO No executable code in skill repository 0

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin metadata. No JavaScript, Python, shell scripts, npm packages, git hooks, submodules, or symlinks are present in the repo itself.

INFO Canary files unmodified 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained intact throughout the audit.