atlassian-rest
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an internal instruction bypass vulnerability. While the SKILL.md documentation explicitly states 'Never delete. This skill does not support delete operations... This restriction is intentional and must not be bypassed', the sync.mjs script includes a functional deleteIssue() method and logic to delete Jira tickets via the Atlassian API. This discrepancy could lead the agent to violate its own safety constraints during automated sync workflows.
- [COMMAND_EXECUTION]: The sync.mjs script utilizes execFileSync to dynamically invoke other scripts (jira.mjs and confluence.mjs) located in the same directory. This creates a pattern where subprocesses are spawned based on computed file paths and user-provided arguments, increasing the skill's risk profile.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) due to the following factors:
- Ingestion points: Untrusted data enters the agent context through jira.mjs get (issue descriptions/comments), confluence.mjs get-page (page storage bodies), and sync.mjs pull (remote-to-local synchronization).
- Boundary markers: Absent. The skill does not use delimiters or instructions to notify the agent to ignore commands within the fetched Atlassian data.
- Capability inventory: The skill possesses high-risk capabilities including network access via fetch(), file system writes for sync state and document updates, and subprocess execution via execFileSync.
- Sanitization: Absent. Although the skill converts between formats (Markdown and Atlassian Document Format), it does not filter or sanitize the content for natural language instructions that could hijack the agent's logic.
Audit Metadata