功能描述

CLI tool for interacting with Atlassian Jira and Confluence

使用说明 (SKILL.md)

Jira-AI Skill

Name: JIra and Confluence
Author: festoinc

The jira-ai skill provides comprehensive command-line access to Atlassian Jira and Confluence platforms, allowing agents to manage issues, projects, users, and documentation efficiently.

Installation

To install jira-ai, run:

npm install -g jira-ai

Authentication Setup

Before using jira-ai, you need to configure your Jira credentials:

Create a .env file with the following values:

JIRA_HOST=your-domain.atlassian.net
[email protected]
JIRA_API_TOKEN=your-api-token

Authenticate using the .env file:
```
jira-ai auth --from-file path/to/.env
```

Configuration

You can manage settings using the settings command:

jira-ai settings --help

Apply settings from a YAML file:

jira-ai settings --apply my-settings.yaml

Validate settings:

jira-ai settings --validate my-settings.yaml

Commands Overview

Top-Level Commands

Command	Description
`jira-ai auth`	Set up Jira authentication credentials
`jira-ai settings`	View, validate, or apply configuration settings
`jira-ai about`	Show information about the tool
`jira-ai help`	Display help for commands

Issue Management (`issue`)

Command	Description
`jira-ai issue get \x3Cissue-id>`	Retrieve comprehensive issue data
`jira-ai issue create`	Create a new Jira issue
`jira-ai issue search \x3Cjql-query>`	Execute a JQL search query
`jira-ai issue transition \x3Cissue-id> \x3Cto-status>`	Change the status of a Jira issue
`jira-ai issue update \x3Cissue-id>`	Update a Jira issue's description
`jira-ai issue comment \x3Cissue-id>`	Add a new comment to a Jira issue
`jira-ai issue stats \x3Cissue-ids>`	Calculate time-based metrics for issues
`jira-ai issue assign \x3Cissue-id> \x3Caccount-id>`	Assign or reassign a Jira issue
`jira-ai issue label add \x3Cissue-id> \x3Clabels>`	Add labels to a Jira issue
`jira-ai issue label remove \x3Cissue-id> \x3Clabels>`	Remove labels from a Jira issue

Project Management (`project`)

Command	Description
`jira-ai project list`	List all accessible Jira projects
`jira-ai project statuses \x3Cproject-key>`	Fetch workflow statuses for a project
`jira-ai project types \x3Cproject-key>`	List issue types available for a project

User Management (`user`)

Command	Description
`jira-ai user me`	Show profile details for authenticated user
`jira-ai user search [project-key]`	Search and list users
`jira-ai user worklog \x3Cperson> \x3Ctimeframe>`	Retrieve worklogs for a user

Organization Management (`org`)

Command	Description
`jira-ai org list`	List all saved Jira organization profiles
`jira-ai org use \x3Calias>`	Switch the active Jira organization profile
`jira-ai org add \x3Calias>`	Add a new Jira organization profile
`jira-ai org remove \x3Calias>`	Delete credentials for an organization

Confluence Commands (`confl`)

Command	Description
`jira-ai confl get \x3Curl>`	Download Confluence page content
`jira-ai confl spaces`	List all allowed Confluence spaces
`jira-ai confl pages \x3Cspace-key>`	Display pages within a space
`jira-ai confl create \x3Cspace> \x3Ctitle> [parent-page]`	Create a new Confluence page
`jira-ai confl comment \x3Curl>`	Add a comment to a Confluence page
`jira-ai confl update \x3Curl>`	Update a Confluence page

Usage Examples

Search for issues assigned to the current user

jira-ai issue search "assignee = currentUser()"

Get details of a specific issue

jira-ai issue get PROJ-123

Create a new issue

jira-ai issue create --project "PROJ" --summary "New task" --issuetype "Story"

Transition an issue to a new status

jira-ai issue transition PROJ-123 "In Progress"

Add a comment to an issue

jira-ai issue comment PROJ-123 --file comment.md

List all projects

jira-ai project list

Get worklogs for a user

jira-ai user worklog [email protected] 2w

Configuration Options

The jira-ai tool supports extensive configuration through settings files. You can define:

Allowed Jira projects
Allowed commands
Allowed Confluence spaces
Default behaviors for various operations

Example settings structure:

defaults:
  allowed-jira-projects:
    - all                     # Allow all projects
  allowed-commands:
    - all                     # Allow all commands
  allowed-confluence-spaces:
    - all                     # Allow all Confluence spaces

organizations:
  work:
    allowed-jira-projects:
      - PROJ                  # Allow specific project
      - key: PM               # Project-specific config
        commands:
          - issue.get         # Only allow reading issues
        filters:
          participated:
            was_assignee: true
    allowed-commands:
      - issue                 # All issue commands
      - project.list          # Only project list
      - user.me               # Only user me
    allowed-confluence-spaces:
      - DOCS

Benefits

Efficient API Usage: Minimizes the number of API calls needed to perform common operations
Batch Operations: Process multiple items at once to reduce API usage
Smart Filtering: Use JQL to retrieve only the specific data needed
Local Processing: Handle operations locally before sending targeted requests to Jira
Configuration-Based Access Control: Define allowed commands and projects to prevent unauthorized operations
Specific Command Targeting: Get only the information needed, reducing payload sizes and API usage

Security Considerations

Store API tokens securely in environment files
Use configuration-based access controls to limit operations
Regularly rotate API tokens
Limit permissions to the minimum required for operations

安全使用建议

This skill appears to do what it says (manage Jira and Confluence), but there are two red flags you should address before installing or using it: 1) Credentials: The SKILL.md instructs you to create a .env with JIRA_HOST, JIRA_USER_EMAIL, and JIRA_API_TOKEN, but the registry metadata does not list any required credentials. Treat this as an omission — the skill will need those secrets to work. Only provide a token with the minimal required scopes (avoid admin/root tokens), prefer app-specific or limited-scope API tokens, and store them securely (don’t leave plaintext .env on shared machines). 2) Installation source: The instructions tell you to run `npm install -g jira-ai`. The registry did not declare an install mechanism, so the platform didn’t vet or install that package for you. Before running npm install, verify the package and maintainer: check the npm package page and the GitHub repository (commit history, issues, maintainer identity), and prefer installing in a sandboxed environment or container. If you plan to let an automated agent invoke this skill, be cautious: an agent with access to the token could perform any API actions allowed by the token. What would increase confidence: the skill metadata listing required environment variables and a verified install spec (e.g., a known GitHub release or a vetted npm package reference), or an included code bundle maintained by the registry so the platform can scan it. If you want, I can list specific checks to run on the npm package and GitHub repo before you proceed.

功能分析

Type: OpenClaw Skill Name: jiraandconfluence Version: 1.0.0 The skill is classified as suspicious due to several risky capabilities. It instructs the agent to install an external npm package (`jira-ai`), which introduces a supply chain risk. The described `jira-ai` tool has broad file system access (reading .env, .yaml, and .md files) and extensive network capabilities. Most notably, the `jira-ai confl get <url>` command allows downloading content from arbitrary URLs, not just Confluence, which could be exploited for fetching malicious payloads or potential SSRF. While these capabilities are plausibly needed for a comprehensive Jira/Confluence management tool, their breadth and the generic nature of the `confl get` URL argument present a significant attack surface if the agent were to be compromised or given malicious instructions.

能力评估

ℹ Purpose & Capability

The name and description (Jira & Confluence CLI) match the actions described in SKILL.md (issue/project/user/confluence commands). This functionality reasonably needs Jira host, user email, and an API token — but those credentials are not declared in the skill metadata, which is an inconsistency.

ℹ Instruction Scope

SKILL.md instructs installing the tool with `npm install -g jira-ai` and creating/using a .env file containing JIRA_HOST, JIRA_USER_EMAIL, and JIRA_API_TOKEN (and then running `jira-ai auth --from-file`). Those instructions are within the tool's stated purpose but explicitly require the agent (or user) to provide sensitive credentials and to run commands that install/run third‑party code.

⚠ Install Mechanism

The skill has no install spec in the registry, yet the instructions recommend installing a globally-scoped npm package. That means the skill expects software from the public npm ecosystem (source not verified here). The registry should either declare the install or at least declare the external dependency; absence increases risk because the package origin/contents are not validated by the platform metadata.

⚠ Credentials

SKILL.md requires sensitive environment values (JIRA_HOST, JIRA_USER_EMAIL, JIRA_API_TOKEN) but the declared requirements list zero env vars/credentials. The skill will need secrets to operate, so the registry metadata is incomplete; this mismatch is important because users may not realize the skill requires and will access credentials.

✓ Persistence & Privilege

always is false and there is no install hook or code written by the skill itself; it is instruction-only. Autonomous invocation is allowed (platform default) — that is normal, but combined with the credential requirement it raises operational risk (see user guidance).

版本历史

v1.0.0

Initial release of jira-ai: powerful CLI tool for Atlassian Jira and Confluence. - Provides comprehensive command-line management of issues, projects, users, and Confluence pages. - Includes flexible authentication setup via .env file and command. - Supports detailed configuration with YAML files, including access control for commands and projects. - Adds batch operations, smart filtering (JQL), and API usage minimization features. - Enhanced security with environment-based credentials and customizable access controls.

元数据

Slug jiraandconfluence

版本 1.0.0

许可证 —

累计安装 7

当前安装数 6

历史版本数 1

常见问题

JIra and Confluence 是什么？

CLI tool for interacting with Atlassian Jira and Confluence. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 2174 次。

如何安装 JIra and Confluence？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install jiraandconfluence」即可一键安装，无需额外配置。

JIra and Confluence 是免费的吗？

是的，JIra and Confluence 完全免费（开源免费），可自由下载、安装和使用。

JIra and Confluence 支持哪些平台？

JIra and Confluence 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 JIra and Confluence？

由 festoinc（@festoinc）开发并维护，当前版本 v1.0.0。

JIra and Confluence