start-work
Fail
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using user-provided Jira issue keys (e.g.,
af jira get <issue-key>,af jira transition <issue-key>) without any validation or sanitization. This allows an attacker to execute arbitrary commands by supplying a malicious issue key containing shell metacharacters such as;,&, or|. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It retrieves issue summaries and descriptions from an external source (Jira) and incorporates this untrusted data into OpenSpec proposals. Malicious instructions embedded in a Jira ticket could be interpreted by the agent as legitimate commands during the proposal enrichment phase.
- Ingestion points: Jira issue summary and description fetched via
af jira get <issue-key>in SKILL.md. - Boundary markers: No delimiters or 'ignore instructions' warnings are used when interpolating Jira data into the proposal.
- Capability inventory: The agent has the ability to execute shell commands (via
af jira) and invoke other skills (openspec-new-change,openspec-continue-change). - Sanitization: No evidence of escaping or validation of the fetched Jira content before use.
Recommendations
- AI detected serious security threats
Audit Metadata