orchestrating-jira-workflow
Warn
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill depends on several third-party agent skills hosted in GitHub repositories that are not verified as trusted vendors or well-known technology organizations.
- Evidence:
subagents/preflight-checker-manifest.mdlists numerous required skills to be installed viaskills install, including resources fromobra/superpowers,antfu/skills,softaworks/agent-toolkit,blader/humanizer,sickn33/antigravity-awesome-skills, andwshobson/agents. - [PROMPT_INJECTION]: The skill processes external data from Jira tickets, which represents a surface for indirect prompt injection attacks.
- Ingestion points: Data is fetched from Jira and stored in local markdown files (e.g.,
docs/<KEY>.md) by thefetching-jira-ticketskill in Phase 1 and theticket-status-checkersubagent. - Boundary markers: There are no instructions or patterns defined to wrap ingested ticket content in delimiters or to apply specific 'ignore embedded instructions' markers.
- Capability inventory: The orchestrator dispatches execution tasks to downstream skills like
executing-jira-task, which has broad capabilities including file system modification, git operations, and code execution. - Sanitization: No sanitization, validation, or filtering of the incoming Jira ticket description, comments, or fields is implemented.
Audit Metadata