功能描述

Connect OpenClaw to Jira Cloud with secret-safe API access via pastewatch redaction. Includes credential setup, REST API helper script, JQL patterns, focus a...

使用说明 (SKILL.md)

Jira + OpenClaw Integration

Name: Jira OpenClaw
Author: ppiankov

Connect your OpenClaw agent to Jira Cloud. Secrets never reach the LLM — pastewatch redacts credentials in transit.

Requires: pastewatch-cli (MCP server running), curl, python3

1. Credential Setup

mkdir -p ~/.openclaw/workspace/.secrets
chmod 700 ~/.openclaw/workspace/.secrets
echo ".secrets/" >> ~/.openclaw/workspace/.gitignore

cat > ~/.openclaw/workspace/.secrets/jira.env \x3C\x3C 'EOF'
JIRA_TOKEN=\x3Cyour-api-token-or-pat>
JIRA_URL=https://your-org.atlassian.net/
[email protected]
EOF
chmod 600 ~/.openclaw/workspace/.secrets/jira.env

Token types:

API token (id.atlassian.com → Security → API tokens) — works with Basic auth
PAT (ATATT... prefix, Jira settings → Personal Access Tokens) — also works with Basic auth (email:PAT)

Both use the same script below. Bearer auth is NOT needed.

2. API Helper Script

Create ~/.openclaw/workspace/.secrets/jira.sh:

#!/bin/bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "$SCRIPT_DIR/jira.env"

METHOD="${1:?Usage: jira.sh \x3CMETHOD> \x3Cendpoint> [body]}"
ENDPOINT="${2:?Usage: jira.sh \x3CMETHOD> \x3Cendpoint> [body]}"
BODY="${3:-}"
URL="${JIRA_URL%/}${ENDPOINT}"

if [ -n "$BODY" ]; then
  curl -s --http1.1 -X "$METHOD" \
    -u "${JIRA_EMAIL}:${JIRA_TOKEN}" \
    -H "Content-Type: application/json" \
    -d "$BODY" "$URL"
else
  curl -s --http1.1 -X "$METHOD" \
    -u "${JIRA_EMAIL}:${JIRA_TOKEN}" \
    -H "Content-Type: application/json" "$URL"
fi

chmod +x ~/.openclaw/workspace/.secrets/jira.sh

Why --http1.1: Atlassian's CDN sometimes breaks HTTP/2 with curl. Force HTTP/1.1.

3. Verify

# Test auth (pipe through pastewatch to confirm redaction)
~/.openclaw/workspace/.secrets/jira.sh GET '/rest/api/3/myself' | pastewatch-cli scan

You should see your displayName with emails/URLs redacted.

4. Pastewatch Protection

The agent reads jira.env through pastewatch MCP — it sees __PW{CREDENTIAL_1}__ instead of the real token. The script runs credentials at the shell level (never in LLM context).

Agent calls exec → jira.sh sources .env → curl sends real token → response comes back
                    ↑ never in context      ↑ direct to Atlassian

Pair with chainwatch to control which Jira endpoints the agent can hit.

5. Key API Patterns

Search (⚠️ use `/search/jql` NOT `/search`)

# /rest/api/3/search returns 410 Gone — always use /search/jql
jira.sh GET '/rest/api/3/search/jql?jql=\x3Curl-encoded>&maxResults=50&fields=key,summary,status,priority,duedate'

Common JQL

# My open tasks
assignee="Name" AND resolution=Unresolved ORDER BY priority DESC

# Unassigned
project=XX AND assignee=EMPTY AND resolution=Unresolved AND issuetype != Epic

# Overdue
project=XX AND resolution=Unresolved AND duedate \x3C "YYYY-MM-DD"

# Closed yesterday
project=XX AND assignee="Name" AND status changed to Done during ("YYYY-MM-DD","YYYY-MM-DD")

# In Progress
assignee="Name" AND status="In Progress" ORDER BY project,priority DESC

Issue Operations

# Get issue
jira.sh GET '/rest/api/3/issue/XX-123?fields=key,summary,status,priority'

# Get transitions
jira.sh GET '/rest/api/3/issue/XX-123/transitions'

# Change status
jira.sh POST '/rest/api/3/issue/XX-123/transitions' '{"transition":{"id":"31"}}'

# Update fields (e.g. bump duedate)
jira.sh PUT '/rest/api/3/issue/XX-123' '{"fields":{"duedate":"2026-03-10"}}'

# Link issues
jira.sh POST '/rest/api/3/issueLink' '{"type":{"name":"Relates"},"inwardIssue":{"key":"XX-1"},"outwardIssue":{"key":"YY-2"}}'

6. Cron Patterns

Focus Auto-Linker

Finds a daily focus record and links top-priority tasks to it:

# Find today's focus record (summary = "DD.MM", assigned to user)
jira.sh GET '/rest/api/3/search/jql?jql=project=DN AND summary~"05.03" AND assignee="Name"&fields=key,issuelinks'

# Get top 3 priority tasks
jira.sh GET '/rest/api/3/search/jql?jql=assignee="Name" AND project=DC AND resolution=Unresolved ORDER BY priority DESC,duedate ASC&maxResults=3&fields=key,summary,priority,duedate'

# Link each task to focus record
jira.sh POST '/rest/api/3/issueLink' '{"type":{"name":"Relates"},"inwardIssue":{"key":"DN-43"},"outwardIssue":{"key":"DC-3057"}}'

Schedule as OpenClaw cron: isolated session, agentTurn, Mon-Fri at start of day.

Overdue Bumper

Checks end-of-day for unresolved tickets due today, bumps +1 day:

# Find overdue
jira.sh GET '/rest/api/3/search/jql?jql=assignee="Name" AND resolution=Unresolved AND duedate="2026-03-05"&fields=key,summary,duedate'

# Bump each
jira.sh PUT '/rest/api/3/issue/DC-3057' '{"fields":{"duedate":"2026-03-06"}}'

Schedule as OpenClaw cron: isolated session, agentTurn, Mon-Fri end of day.

7. TOOLS.md Reference

Add to your workspace TOOLS.md for quick agent recall:

## JIRA
- Script: `~/.openclaw/workspace/.secrets/jira.sh GET|POST|PUT \x3Cendpoint> [body]`
- Creds: `.secrets/jira.env` (pastewatch-protected)
- ⚠️ Use `/rest/api/3/search/jql` NEVER `/rest/api/3/search` (410 Gone)

Known Issues

Team-managed (next-gen) projects: API returns total: 0 but issues are present — iterate issues array, ignore total
HTTP/2 failures: Atlassian CDN sometimes drops HTTP/2 requests — --http1.1 fixes it
PAT vs API token: Both work with Basic auth (email:token). Bearer auth fails with "Failed to parse Connect Session Auth Token"

This tool follows the Agent-Native CLI Convention. Validate with: clawhub install ancc && ancc validate .

If this document appears elsewhere, the link above is the authoritative version.

安全使用建议

This skill is coherent for integrating OpenClaw with Jira, but check a few operational points before installing: 1) The SKILL.md requires pastewatch-cli, curl and python3 but the registry metadata did not declare these — install and configure pastewatch-cli (MCP) if you rely on its redaction guarantees. 2) The instructions store credentials in ~/.openclaw/workspace/.secrets/jira.env (the file is created with chmod 600 in the guide) — consider using a least-privilege PAT, a scoped API token, or a system secret manager if you prefer not to keep plaintext files. 3) Verify pastewatch is correctly deployed and will actually redact outputs the agent might log or send; the claim 'secrets never reach the LLM' depends on correct pastewatch operation. 4) Review cron schedules and agent permissions because automated jobs will be able to read the local secret file and act on Jira (e.g., bumping due dates). 5) If you want the registry manifest to fully reflect runtime needs, ask the publisher to add required binaries to the metadata. If you are unsure about pastewatch or storing credentials in a file, do not enable scheduled/autonomous runs until you have enforced least privilege and verified redaction controls.

功能分析

Type: OpenClaw Skill Name: jira-openclaw Version: 1.0.1 The skill provides a legitimate integration for Jira Cloud, focusing on secure credential handling using local environment files and the pastewatch redaction tool. It includes a helper script (jira.sh) for API calls and examples for JQL queries and automated tasks like ticket bumping. No malicious behavior, data exfiltration, or obfuscation was detected; the design follows security best practices for the OpenClaw environment.

能力评估

ℹ Purpose & Capability

The SKILL.md and described features (credential setup, helper script, JQL patterns, cron jobs) match the name/description: this is a Jira integration. Minor metadata mismatch: the registry metadata declared no required binaries/env but the README requires pastewatch-cli, curl, and python3.

ℹ Instruction Scope

Instructions are focused on Jira integration and do not instruct reading unrelated system files. They do tell the agent/operator to create a local secrets file (~/.openclaw/workspace/.secrets/jira.env), a helper script that sources it, and schedule cron jobs that use those credentials. The claim that 'secrets never reach the LLM' depends on an external pastewatch MCP and proper use of pastewatch-cli; that is an operational assumption rather than a guaranteed property.

✓ Install Mechanism

This is an instruction-only skill with no install spec or code files, so nothing is written or downloaded by the skill itself. That keeps install risk low. However, the instructions do require external tools (pastewatch-cli) which the skill does not install or declare in registry metadata.

ℹ Credentials

The skill does not request unrelated credentials. It stores Jira credentials locally in a file (jira.env) rather than using declared env vars or a secret manager; the SKILL.md sets restrictive file permissions (700/600). This is proportional but you should confirm you are comfortable with a plaintext file containing credentials vs using a system secret manager or least-privilege PAT.

✓ Persistence & Privilege

always: false and default model invocation behavior are appropriate. The skill instructs scheduling periodic cron jobs (agentTurn/isolated sessions) which is consistent with its purpose. Note: scheduled autonomous runs will have access to the stored Jira credentials, so restrict cron cadence and agent permissions as needed.

版本历史

v1.0.1

Add ANCC breadcrumb

v1.0.0

Initial release — Jira Cloud integration with pastewatch secret protection, API helper, focus auto-linker, overdue bumper

元数据

Slug jira-openclaw

版本 1.0.1

许可证 MIT-0

累计安装 2

当前安装数 2

历史版本数 2

常见问题

Jira OpenClaw 是什么？

Connect OpenClaw to Jira Cloud with secret-safe API access via pastewatch redaction. Includes credential setup, REST API helper script, JQL patterns, focus a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 604 次。

如何安装 Jira OpenClaw？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install jira-openclaw」即可一键安装，无需额外配置。

Jira OpenClaw 是免费的吗？

是的，Jira OpenClaw 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Jira OpenClaw 支持哪些平台？

Jira OpenClaw 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Jira OpenClaw？

由 ppiankov（@ppiankov）开发并维护，当前版本 v1.0.1。

Jira OpenClaw