Is dejanb/clawhub-jira-pat-skill safe?

https://github.com/openclaw/skills/tree/main/skills/dejanb/clawhub-jira-pat-skill

92
SAFE

The clawhub-jira-pat-skill is a straightforward Jira REST API helper for self-hosted enterprise Jira instances using Bearer token authentication. The SKILL.md contains clean instructional documentation with no prompt injection, override directives, or exfiltration mechanisms, and the accompanying jira-pat.sh shell script is a safe curl/jq wrapper with proper argument quoting. The only notable concerns are a developer artifact lock.json referencing an unrelated skill, a missing JQL URL-encoding step in one function, and platform-level network connections from the OpenClaw gateway that are unrelated to the skill's own code.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 94/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 88/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (5)

LOW Shell script included in skill bundle -7

scripts/jira-pat.sh is a Bash script distributed with the skill. While its content is benign (standard curl wrappers with proper jq argument quoting), the presence of an executable script in a skill package warrants review. It is not auto-executed during install.

LOW JQL parameter concatenated into URL without encoding -6

The jira_search() and jira_children() functions append user-supplied JQL strings directly into the curl URL (e.g., ?jql=$jql and ?jql=parent=$epic_key). If these functions are called with adversarial input containing characters like &, %, or spaces, the request URL may be malformed or unintentionally parameterized. Not malicious by design but a code hygiene issue.

INFO Lock file references unrelated skill (academic-research-hub) -15

The committed .clawhub/lock.json inside the skill repo contains an entry for academic-research-hub v0.1.0. This appears to be a developer artifact from the author's own workspace environment that was inadvertently included in the published skill. There is no code that reads or acts on this lock file, but it is unexpected metadata in a published skill package.

INFO Post-install outbound connections from openclaw-gateway agent -15

After skill installation, the openclaw-gateway process (pid=1090, the audit platform agent) established TCP connections to 98.83.99.233:443 and 54.211.197.216:443 (both AWS-hosted IPs). These connections are attributed to the platform infrastructure rather than the skill, but are noted for completeness.

INFO Canary files accessed during audit window (platform access, not skill) -12

Audit PATH records show accesses to /home/oc-exec/.env at 1771909635.357 and 1771909642.421 during the active audit window, in addition to the expected pre/post baseline scans. All canary files remained intact with no modification. Accesses are consistent with the openclaw-gateway agent's periodic environment monitoring, not the skill.