Safety Report

Jira

Name: Jira
Rating: 5 (6 reviews)
Author: byungkyu

Jira API integration with managed OAuth. Search issues with JQL, create and update issues, manage projects and transitions. Use this skill when users want to interact with Jira issues, projects, or workflows. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).

4,870Downloads

4Installs

6Stars

6Versions

API Integration4,971 Workflow Automation3,323 Search & Retrieval2,116 Project Management1,537

Security Analysis

medium confidence

Clean

The skill is internally consistent with a Jira integration that uses a Maton gateway and a single MATON_API_KEY; no unexpected binaries, installs, or file I/O are present, but the ability for the model to invoke the skill and the unknown third-party gateway merit caution.

Feb 11, 20262 files1 concern

Purpose & Capabilityok

Name/description match the behavior in SKILL.md: it proxies Jira Cloud API calls through maton.ai endpoints and manages OAuth connections. The single required env var (MATON_API_KEY) is appropriate for an API gateway service.

Instruction Scopeok

Runtime instructions are limited to making HTTP requests to gateway.maton.ai and ctrl.maton.ai and reading MATON_API_KEY from the environment. The instructions do not ask the agent to read unrelated files, system config, or other environment variables.

Install Mechanismok

No install spec or code files are provided (instruction-only skill), so nothing is written to disk or fetched during installation. This minimizes install-time risk.

Credentialsok

Only MATON_API_KEY is required. That is proportionate for a gateway-managed OAuth Jira integration. There are no unexplained SECRET/TOKEN/PASSWORD env requirements.

Persistence & Privilegeconcern

Flags do not set disableModelInvocation, so the model can autonomously invoke the skill. Because the skill can create, update, and delete Jira issues, an agent with that API key could perform destructive or privacy-impacting operations without explicit user confirmation. The skill is not marked always:true, which reduces some risk, but model-invocable modifications are still possible.

Guidance

This skill appears to do what it says: proxy Jira API calls via Maton and manage OAuth connections, and it only requires a single MATON_API_KEY. Before installing, verify you trust the maton.ai / ctrl.maton.ai / gateway.maton.ai services (the skill's source/homepage are unknown). Limit the MATON_API_KEY scope to the minimum permissions needed (prefer read-only for initial testing), avoid using a high-privilege production key, and consider rotating the key after testing. If you do not want the agent performing Jira changes autonomously, ensure the platform can disable model-initiated skill invocation or set the skill to require explicit user invocation. Finally, test first with a non-production Jira account or project to confirm behavior.

Latest Release

v1.0.5

- Added clawdbot metadata including emoji and required environment variable MATON_API_KEY to SKILL.md. - No changes to functionality or user instructions.

More by @byungkyu

API Gateway

180 stars

Microsoft Excel

30 stars

Fathom

11 stars

Todoist

11 stars

Microsoft OneDrive

7 stars

Monday.com

5 stars

Published by @byungkyu on ClawHub