Jira

Name: Jira
Author: weihezhai

Description

Manage Jira issues and worklogs via REST API: search, view, create, comment, assign, transition status, and log or report work hours.

README (SKILL.md)

---
name: jira
description: Manage Jira issues, transitions, and worklogs via the Jira Cloud REST API.
homepage: https://developer.atlassian.com/cloud/jira/platform/rest/v3/intro/
metadata:
  {
    "clawdbot":
      {
        "emoji": "🧭",
        "requires":
          {
            "bins": ["curl", "jq", "bc", "python3"],
            "env": ["JIRA_URL", "JIRA_EMAIL", "JIRA_API_TOKEN"],
            "optional_env": ["JIRA_BOARD"]
          },
      },
  }
---

# Jira Skill

Work with Jira issues and worklogs from Clawdbot (search, status, create, log work, worklog summaries).

## Setup

1. Get your API key: https://id.atlassian.com/manage-profile/security/api-tokens
2. Click "Create API Token"
3. Set environment variables:
   ```bash
   export JIRA_EMAIL="[email protected]"
   export JIRA_API_TOKEN="your-api-token"
   export JIRA_URL="https://your-domain.atlassian.net"
   # Optional project scope (comma-separated). Empty = search all.
   export JIRA_BOARD="ABC"

Requires curl, jq, bc, and python3.

Quick Commands

All commands live in {baseDir}/scripts/jira.sh.

{baseDir}/scripts/jira.sh search "timeout" [max] — fuzzy search by summary or key inside JIRA_BOARD
{baseDir}/scripts/jira.sh link ABC-123 — browser link for an issue
{baseDir}/scripts/jira.sh issue ABC-123 — quick issue details
{baseDir}/scripts/jira.sh status ABC-123 "In Progress" — move an issue (validates available transitions)
{baseDir}/scripts/jira.sh transitions ABC-123 — list allowed transitions
{baseDir}/scripts/jira.sh assign ABC-123 "name or email" — assign by user search
{baseDir}/scripts/jira.sh assign-me ABC-123 — assign to yourself
{baseDir}/scripts/jira.sh comment ABC-123 "text" — add a comment
{baseDir}/scripts/jira.sh create "Title" ["Description"] — create a Task in JIRA_BOARD
{baseDir}/scripts/jira.sh log ABC-123 2.5 [YYYY-MM-DD] — log hours (defaults to today UTC)
{baseDir}/scripts/jira.sh my [max] — open issues assigned to you
{baseDir}/scripts/jira.sh hours 2025-01-01 2025-01-07 — your logged hours by issue (JSON)
{baseDir}/scripts/jira.sh hours-day 2025-01-07 [name|email] — logged hours for a day grouped by user/issue; optional filter (name/email; also resolves to accountId)
{baseDir}/scripts/jira.sh hours-issue ABC-123 [name|email] — logged hours for an issue; optional filter (name/email; also resolves to accountId)

Command Reference

Search issues

{baseDir}/scripts/jira.sh search "payment failure" [maxResults]

Issue link
```
{baseDir}/scripts/jira.sh link ABC-321
```

Issue details

{baseDir}/scripts/jira.sh issue ABC-321

Update status

{baseDir}/scripts/jira.sh status ABC-321 "Done"

List transitions

{baseDir}/scripts/jira.sh transitions ABC-321

Assign issue

{baseDir}/scripts/jira.sh assign ABC-321 "Jane Doe"

Assign to yourself

{baseDir}/scripts/jira.sh assign-me ABC-321

Add comment

{baseDir}/scripts/jira.sh comment ABC-321 "Deployed to staging"

Create issue

{baseDir}/scripts/jira.sh create "Fix auth timeout" "Users being logged out after 5m"

Log hours

{baseDir}/scripts/jira.sh log PB-321 1.5 2025-01-18

My open issues

{baseDir}/scripts/jira.sh my [maxResults]

Logged hours by issue (me)

{baseDir}/scripts/jira.sh hours 2025-01-01 2025-01-05

Logged hours for a day (everyone)

{baseDir}/scripts/jira.sh hours-day 2025-01-05

Logged hours for a day (user filter)

{baseDir}/scripts/jira.sh hours-day 2025-01-05 "jane"

Logged hours for an issue

{baseDir}/scripts/jira.sh hours-issue ABC-321 "jane"

Notes

Worklog commands use Jira's worklog/updated + worklog/list combo and may take a few seconds on large projects.
hours filters by JIRA_EMAIL; hours-day returns all users with totals per issue and user.
Outputs for hours commands are JSON for reuse in other tools.
Status transitions are validated against the server‑provided transition list before applying.

Usage Guidance

What to check before installing or using this skill: - The main practical issue: the registry metadata claims no required credentials, but the SKILL.md and scripts require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN. Do not provide credentials unless you confirm where and how the platform will store and protect them. - Inspect scripts/jira.sh yourself (it is included) to confirm there are no hidden endpoints. The script makes direct API calls only to the configured JIRA_URL — make sure you set that to your Atlassian instance (https://your-domain.atlassian.net) and not an attacker-controlled host. - Use a least-privilege API token for automation, and consider creating a service account rather than using a personal admin token. - Be aware the script uses Basic auth (email:api_token base64) in requests; anyone who can read environment variables or logs on the host could exfiltrate the token. Ensure your environment protects env vars and avoids logging sensitive headers. - If the platform does not prompt for the required env vars (because metadata omitted them), manually ensure you set them only in a secure credential store and verify the skill reads them from that store rather than from an unprotected shell. - If anything about the included script differs from SKILL.md at install time, treat that as a serious red flag and do not proceed until reconciled.

Capability Analysis

Type: OpenClaw Skill Name: jira-m Version: 1.0.0 The skill is classified as suspicious due to two main reasons found in `scripts/jira.sh`. First, it contains a hidden `metrics` command, not documented in `SKILL.md`, which can exfiltrate aggregated worklog data (total hours, issue count) to an arbitrary URL specified by the `JIRA_METRICS_URL` environment variable. While not directly stealing credentials, this undocumented data transmission to an arbitrary external endpoint is a risky capability. Second, the script is vulnerable to JQL injection in functions like `print_search` and `find_account_id`, where user-provided query strings are directly interpolated into JQL queries without sufficient sanitization, potentially allowing an attacker to alter query logic.

Capability Assessment

⚠ Purpose & Capability

Name/description (Jira issue & worklog management) match the script's behavior: the script calls Jira Cloud REST endpoints to search, create, transition, assign, and log work. However, the registry metadata claims no required environment variables or primary credential while the SKILL.md and scripts clearly require JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN. That discrepancy is incoherent and could lead to the agent not prompting for needed credentials or to user confusion.

✓ Instruction Scope

The SKILL.md instructions and the script stay within the stated purpose: they instruct the user to set Jira credentials and then perform API calls against the JIRA_URL. The runtime behavior (curl/jq calls to Jira endpoints, worklog aggregation) is consistent with the documented commands. No instructions attempt to read unrelated host files or send data to unexpected external endpoints beyond the configured JIRA_URL, but you should verify the JIRA_URL value before use.

✓ Install Mechanism

There is no install spec — the skill is instruction-plus-script only. The included scripts/jira.sh is present in the bundle (no external downloads or extract steps). This is low risk from an install mechanism perspective.

⚠ Credentials

The script legitimately needs JIRA_URL, JIRA_EMAIL, and JIRA_API_TOKEN (basic auth to Jira). That is proportionate to the described functionality — but the registry metadata omitting these required env vars is a red flag: it contradicts the actual credential needs and may cause the platform not to ask for or protect the required secrets. Also note that the skill expects a full API token (sensitive) and will send it (base64 Basic auth) to whatever JIRA_URL is set; ensure you only set a trusted Atlassian URL and scope tokens with least privilege.

✓ Persistence & Privilege

The skill is not always-enabled and is user-invocable; it does not request system-wide config paths or attempt to modify other skills. There is no evidence it requests elevated or persistent system privileges.

Version History

v1.0.0

- Initial release of the Jira skill for issue and worklog management via the Jira Cloud REST API. - Supports searching, viewing, creating, and updating Jira issues from command line scripts. - Enables logging and summarizing work hours, with JSON output for integration. - Includes commands for assigning issues, commenting, status transitions, and opening issue links. - Requires basic setup with Jira API token and environment variables; supports board/project scoping.

Metadata

Slug jira-m

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Jira?

Manage Jira issues and worklogs via REST API: search, view, create, comment, assign, transition status, and log or report work hours. It is an AI Agent Skill for Claude Code / OpenClaw, with 601 downloads so far.

How do I install Jira?

Run "/install jira-m" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Jira free?

Yes, Jira is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Jira support?

Jira is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Jira?

It is built and maintained by whz (@weihezhai); the current version is v1.0.0.

More Skills