Skills
skills/akin-ozer/cc-devops-skills/jenkinsfile-generator/Gen Agent Trust Hub

jenkinsfile-generator

Fail

Audited by Gen Agent Trust Hub on Mar 28, 2026

Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The resolve_k8s_yaml function within scripts/generate_declarative.py allows for arbitrary file read operations. It takes the value provided to the --k8s-yaml argument and checks if it exists as a file on the local filesystem using pathlib.Path.is_file(). If a file is found, the script uses read_text() to extract the entire content and embeds it into the generated Jenkinsfile. Because the script employs .expanduser(), it facilitates easy access to sensitive files in the home directory, such as ~/.ssh/id_rsa, ~/.aws/credentials, or .env files. This enables a user to harvest sensitive configuration or identity data from the agent's environment by including it in the generated pipeline code.
  • [COMMAND_EXECUTION]: The skill operates by executing local Python scripts (scripts/generate_declarative.py, scripts/generate_scripted.py, and scripts/generate_shared_library.py) that process user input to generate executable Groovy code. While the skill uses some escaping mechanisms for string literals to prevent injection into the generated Groovy syntax, the capability to read local files significantly expands the attack surface.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 28, 2026, 05:06 PM