jira-issues

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). Contains curl examples that embed user credentials directly into Authorization headers (Basic $(echo -n 'email:token' | base64)), which instructs producing commands that would include secret values verbatim and thus creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's workflow (SKILL.md Step 3 "Get Issue") and the included scripts (e.g., scripts/delete-all.mjs and scripts/create-one.*) make authenticated HTTP requests to a configured JIRA_BASE_URL and fetch Jira issue data (summaries, descriptions, search results) — which are user-generated/untrusted content from a third-party system — and that retrieved content is read and used to drive actions (e.g., deciding which issues to delete or update), so it can indirectly inject instructions that affect tool behavior.