← 返回 Skills 市场

jira-issue-analyzer

Name: jira-issue-analyzer
Author: dimos92

作者 Dimos · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

115

总下载

当前安装

版本数

在 OpenClaw 中安装

/install jira-issue-analyzer

功能描述

Jira 问题分析编排器。负责获取 issue 与附件、委托日志分析 subagent，并产出最终 Markdown 报告到本地目录。适用于用户要求生成 Jira 问题分析文档的场景。

使用说明 (SKILL.md)

Jira Issue Analyzer

前置检查

Jira 脚本目录（已迁移到 Skill 内，不在项目目录）：
- ~/.cursor/skills/jira-issue-analyzer/jira
初始化虚拟环境（必须）：
- cd ~/.cursor/skills/jira-issue-analyzer/jira
- python3 -m venv .venv
- .venv/bin/python -m pip install -r requirements.txt
配置：
- cp .env.example .env
- 填写 JIRA_BASE_URL、JIRA_TOKEN
连接测试（必须使用 venv python）：
- .venv/bin/python main.py --test

标准工作流

1) 获取 issue 信息

cd ~/.cursor/skills/jira-issue-analyzer/jira
.venv/bin/python main.py get \x3CISSUE_KEY_OR_URL> -f json

2) 下载附件

cd ~/.cursor/skills/jira-issue-analyzer/jira
.venv/bin/python main.py download \x3CISSUE_KEY_OR_URL> -d /tmp/jira_\x3CISSUE_KEY>

3) 解压压缩包并递归处理

需要时解压压缩包，作为后续分析输入。

4) 委托日志分析 subagent

日志分析与问题归因请直接委托个人 subagent：

jira-log-analyst（定义文件：~/.cursor/agents/jira-log-analyst.md）

5) 输出标准报告

按 report-template.md 结构输出。

6) 报告落地到本地文件

将报告以 Markdown 文件保存到项目目录：

目录：\x3Cproject>/.cursor/work/jira/
文件名建议：\x3CISSUE_KEY>_analysis.md

示例路径：

/Users/zhangyu/FlutterProject/flutter_hiigge_app/.cursor/work/jira/PI2506-150_analysis.md

7) 清理下载附件

报告生成并保存后，删除临时附件目录，避免磁盘堆积：

例如删除 /tmp/jira_\x3CISSUE_KEY>
必须在报告落盘完成后再执行

快速命令参考

# 获取 issue 详情
cd ~/.cursor/skills/jira-issue-analyzer/jira
.venv/bin/python main.py get HA-2560 -f json

# 下载附件
.venv/bin/python main.py download HA-2560 -d /tmp/jira_HA-2560

安全使用建议

Things to check before installing or running this skill: - Metadata vs code: The registry declares no required env vars, but the code and SKILL.md require JIRA_BASE_URL and JIRA_TOKEN. Treat this as a packaging oversight — confirm you are comfortable providing a Jira token before proceeding. - Token scope: Use a Jira personal access token with minimal scope/expiration appropriate for read-only issue/attachment access, not a full admin token. Do not reuse broad credentials. - Proxy behavior: The Jira client disables environment proxy settings (session.trust_env = False). If your organization relies on an HTTP(S) proxy for egress control or monitoring, this will bypass it. Ask the maintainer why this was set; remove or change it if you need proxy-based controls. - Hard-coded script: jira/unzip_attachment.py contains a hard-coded zip filename (c52056b2-..._app_log.zip) and will exit if that file is not present; it appears to be an example or leftover. Review and either remove or parameterize it before running to avoid unexpected behavior. - Inspect .env.example: Confirm what variables are required and that no extra secrets are requested. The code currently only reads JIRA_BASE_URL and JIRA_TOKEN but verify there are no hidden env dependencies. - Run in isolated environment: Create the venv as instructed and review the code locally before executing. Consider running network-active parts in an environment where you can monitor outbound requests (e.g., via a firewall or proxy you control). - Confirm report storage: Reports and attachments will be written to your project .cursor/work/jira and temporary /tmp/jira_<ISSUE_KEY> by default. Ensure you are comfortable with these locations and that sensitive attachments are handled according to your policy. If the publisher updates the registry to declare required env vars, documents why proxies are disabled, and removes or documents the hard-coded unzip example, my confidence that the package is coherent would increase.

功能分析

Type: OpenClaw Skill Name: jira-issue-analyzer Version: 1.0.0 The skill bundle contains a path traversal vulnerability in `jira/jira_client.py` within the `download_attachment` method, as it joins a destination directory with an unsanitized filename provided by the Jira API. Additionally, the workflow in `SKILL.md` requires high-risk operations such as shell execution for environment setup and dependency installation. While the code appears to serve its stated purpose of Jira analysis, these risky capabilities and the lack of input sanitization meet the threshold for a suspicious classification under the provided criteria.

能力评估

ℹ Purpose & Capability

The skill's name/description match the included Python code (jira_client, main) which fetches issues, downloads attachments, and produces reports. However, the registry metadata declares no required environment variables or primary credential, while the code and SKILL.md clearly require JIRA_BASE_URL and JIRA_TOKEN — a metadata mismatch that should be resolved.

ℹ Instruction Scope

SKILL.md stays within the stated purpose (create venv, install requirements, fill .env, run main.py to get/download issues, delegate to included jira-log-analyst). It references only local paths under ~/.cursor and the target project .cursor/work/jira for report output. It does not instruct exfiltration to external endpoints beyond the configured Jira server. Still, the instructions assume files live in ~/.cursor/skills and require a .env with secrets not declared in the registry.

✓ Install Mechanism

No install spec — instruction-only with shipped Python scripts. requirements.txt only lists requests and python-dotenv, which is proportionate to the task. Nothing in the install surface pulls arbitrary remote archives or runs opaque installers.

⚠ Credentials

The code legitimately needs JIRA_BASE_URL and JIRA_TOKEN, but the skill metadata does not declare them. Additional concerns: jira_client sets session.trust_env = False which disables honoring HTTP(S)_PROXY environment variables — this will bypass system or enterprise proxy controls (monitoring/network egress rules) and may be unexpected. The code fetches personal fields (assignee/reporters' email addresses) and downloads attachments — all expected for the feature but they are sensitive and require that users trust the skill before providing credentials.

✓ Persistence & Privilege

The skill does not request permanent inclusion (always:false) and does not modify other skills or system-wide configs. It will create a virtualenv under the skill directory and write report files into the user's project .cursor/work/jira directory per the instructions — this is expected behavior for a local report generator.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install jira-issue-analyzer
安装完成后，直接呼叫该 Skill 的名称或使用 /jira-issue-analyzer 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of jira-issue-analyzer. - Provides tools to fetch Jira issue details and attachments. - Supports structured workflow for analyzing and generating Markdown reports locally. - Integrates subagent delegation for log analysis and problem attribution. - Standardizes report output and storage locations. - Includes detailed setup and command references for quick start.

元数据

Slug jira-issue-analyzer

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题