Jira

Name: Jira
Author: weihezhai

功能描述

Manage Jira issues and worklogs via REST API: search, view, create, comment, assign, transition status, and log or report work hours.

使用说明 (SKILL.md)

---
name: jira
description: Manage Jira issues, transitions, and worklogs via the Jira Cloud REST API.
homepage: https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/
metadata:
  {
    "clawdbot":
      {
        "emoji": "🧭",
        "requires":
          {
            "bins": ["curl", "jq", "bc", "python3"],
            "env": ["JIRA_URL", "JIRA_EMAIL", "JIRA_API_TOKEN"],
            "optional_env": ["JIRA_BOARD"]
          },
      },
  }
---

# Jira Skill

Work with Jira issues and worklogs from Clawdbot (search, status, create, log work, worklog summaries).

## Setup

1. Get your API key: https://id.atlassian.com/manage-profile/security/api-tokens
2. Click "Create API Token"
3. Set environment variables:
   ```bash
   export JIRA_EMAIL="[email protected]"
   export JIRA_API_TOKEN="your-api-token"
   export JIRA_URL="https://your-domain.atlassian.net"
   # Optional project scope (comma-separated). Empty = search all.
   export JIRA_BOARD="ABC"

Requires curl, jq, bc, and python3.

Quick Commands

All commands live in {baseDir}/scripts/jira.sh.

{baseDir}/scripts/jira.sh search "timeout" [max] — fuzzy search by summary or key inside JIRA_BOARD
{baseDir}/scripts/jira.sh link ABC-123 — browser link for an issue
{baseDir}/scripts/jira.sh issue ABC-123 — quick issue details
{baseDir}/scripts/jira.sh status ABC-123 "In Progress" — move an issue (validates available transitions)
{baseDir}/scripts/jira.sh transitions ABC-123 — list allowed transitions
{baseDir}/scripts/jira.sh assign ABC-123 "name or email" — assign by user search
{baseDir}/scripts/jira.sh assign-me ABC-123 — assign to yourself
{baseDir}/scripts/jira.sh comment ABC-123 "text" — add a comment
{baseDir}/scripts/jira.sh create "Title" ["Description"] — create a Task in JIRA_BOARD
{baseDir}/scripts/jira.sh log ABC-123 2.5 [YYYY-MM-DD] — log hours (defaults to today UTC)
{baseDir}/scripts/jira.sh my [max] — open issues assigned to you
{baseDir}/scripts/jira.sh hours 2025-01-01 2025-01-07 — your logged hours by issue (JSON)
{baseDir}/scripts/jira.sh hours-day 2025-01-07 [name|email] — logged hours for a day grouped by user/issue; optional filter (name/email; also resolves to accountId)
{baseDir}/scripts/jira.sh hours-issue ABC-123 [name|email] — logged hours for an issue; optional filter (name/email; also resolves to accountId)

Command Reference

Search issues

{baseDir}/scripts/jira.sh search "payment failure" [maxResults]

Issue link
```
{baseDir}/scripts/jira.sh link ABC-321
```

Issue details

{baseDir}/scripts/jira.sh issue ABC-321

Update status

{baseDir}/scripts/jira.sh status ABC-321 "Done"

List transitions

{baseDir}/scripts/jira.sh transitions ABC-321

Assign issue

{baseDir}/scripts/jira.sh assign ABC-321 "Jane Doe"

Assign to yourself

{baseDir}/scripts/jira.sh assign-me ABC-321

Add comment

{baseDir}/scripts/jira.sh comment ABC-321 "Deployed to staging"

Create issue

{baseDir}/scripts/jira.sh create "Fix auth timeout" "Users being logged out after 5m"

Log hours

{baseDir}/scripts/jira.sh log PB-321 1.5 2025-01-18

My open issues

{baseDir}/scripts/jira.sh my [maxResults]

Logged hours by issue (me)

{baseDir}/scripts/jira.sh hours 2025-01-01 2025-01-05

Logged hours for a day (everyone)

{baseDir}/scripts/jira.sh hours-day 2025-01-05

Logged hours for a day (user filter)

{baseDir}/scripts/jira.sh hours-day 2025-01-05 "jane"

Logged hours for an issue

{baseDir}/scripts/jira.sh hours-issue ABC-321 "jane"

Notes

Worklog commands use Jira's worklog/updated + worklog/list combo and may take a few seconds on large projects.
hours filters by JIRA_EMAIL; hours-day returns all users with totals per issue and user.
Outputs for hours commands are JSON for reuse in other tools.
Status transitions are validated against the server‑provided transition list before applying.

安全使用建议

What to check before installing or using this skill: - The main practical issue: the registry metadata claims no required credentials, but the SKILL.md and scripts require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN. Do not provide credentials unless you confirm where and how the platform will store and protect them. - Inspect scripts/jira.sh yourself (it is included) to confirm there are no hidden endpoints. The script makes direct API calls only to the configured JIRA_URL — make sure you set that to your Atlassian instance (https://your-domain.atlassian.net) and not an attacker-controlled host. - Use a least-privilege API token for automation, and consider creating a service account rather than using a personal admin token. - Be aware the script uses Basic auth (email:api_token base64) in requests; anyone who can read environment variables or logs on the host could exfiltrate the token. Ensure your environment protects env vars and avoids logging sensitive headers. - If the platform does not prompt for the required env vars (because metadata omitted them), manually ensure you set them only in a secure credential store and verify the skill reads them from that store rather than from an unprotected shell. - If anything about the included script differs from SKILL.md at install time, treat that as a serious red flag and do not proceed until reconciled.

功能分析

Type: OpenClaw Skill Name: jira-m Version: 1.0.0 The skill is classified as suspicious due to two main reasons found in `scripts/jira.sh`. First, it contains a hidden `metrics` command, not documented in `SKILL.md`, which can exfiltrate aggregated worklog data (total hours, issue count) to an arbitrary URL specified by the `JIRA_METRICS_URL` environment variable. While not directly stealing credentials, this undocumented data transmission to an arbitrary external endpoint is a risky capability. Second, the script is vulnerable to JQL injection in functions like `print_search` and `find_account_id`, where user-provided query strings are directly interpolated into JQL queries without sufficient sanitization, potentially allowing an attacker to alter query logic.

能力评估

⚠ Purpose & Capability

Name/description (Jira issue & worklog management) match the script's behavior: the script calls Jira Cloud REST endpoints to search, create, transition, assign, and log work. However, the registry metadata claims no required environment variables or primary credential while the SKILL.md and scripts clearly require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN. That discrepancy is incoherent and could lead to the agent not prompting for needed credentials or to user confusion.

✓ Instruction Scope

The SKILL.md instructions and the script stay within the stated purpose: they instruct the user to set Jira credentials and then perform API calls against the JIRA_URL. The runtime behavior (curl/jq calls to Jira endpoints, worklog aggregation) is consistent with the documented commands. No instructions attempt to read unrelated host files or send data to unexpected external endpoints beyond the configured JIRA_URL, but you should verify the JIRA_URL value before use.

✓ Install Mechanism

There is no install spec — the skill is instruction-plus-script only. The included scripts/jira.sh is present in the bundle (no external downloads or extract steps). This is low risk from an install mechanism perspective.

⚠ Credentials

The script legitimately needs JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN (basic auth to Jira). That is proportionate to the described functionality — but the registry metadata omitting these required env vars is a red flag: it contradicts the actual credential needs and may cause the platform not to ask for or protect the required secrets. Also note that the skill expects a full API token (sensitive) and will send it (base64 Basic auth) to whatever JIRA_URL is set; ensure you only set a trusted Atlassian URL and scope tokens with least privilege.

✓ Persistence & Privilege

The skill is not always-enabled and is user-invocable; it does not request system-wide config paths or attempt to modify other skills. There is no evidence it requests elevated or persistent system privileges.

版本历史

v1.0.0

- Initial release of the Jira skill for issue and worklog management via the Jira Cloud REST API. - Supports searching, viewing, creating, and updating Jira issues from command line scripts. - Enables logging and summarizing work hours, with JSON output for integration. - Includes commands for assigning issues, commenting, status transitions, and opening issue links. - Requires basic setup with Jira API token and environment variables; supports board/project scoping.

元数据

Slug jira-m

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Jira 是什么？

Manage Jira issues and worklogs via REST API: search, view, create, comment, assign, transition status, and log or report work hours. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 601 次。

如何安装 Jira？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install jira-m」即可一键安装，无需额外配置。

Jira 是免费的吗？

是的，Jira 完全免费（开源免费），可自由下载、安装和使用。

Jira 支持哪些平台？

Jira 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Jira？

由 whz（@weihezhai）开发并维护，当前版本 v1.0.0。