atlassian-mcp

clawhub:atlassian-mcp

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Docker pull and run untrusted image EXTDL_015

external-download L17

Detects pulling and running Docker images from external registries

docker pull ghcr.io/sooperset/mcp-atlassian

FIX

Pin Docker images to a specific digest (e.g., image@sha256:abc...) instead of using mutable tags like :latest. Use trusted base images from verified publishers.

FP?

Likely FP if the Docker command pulls a well-known official image (e.g., docker pull python:3.11) in setup documentation.

LOW

Shell script file execution CMDEXEC_013

command-execution L31

Detects execution of shell script files via bash/sh command or direct invocation

bash scripts/run_mcp_atlassian.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.