The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The script scripts/download-attachment.js accesses the local configuration file ~/.config/.jira/.config.yml to retrieve the user's login email. Accessing local application configuration files is a sensitive operation that exposes user metadata.
[DATA_EXFILTRATION]: The scripts/download-attachment.js script constructs a Basic Authorization header containing the user's JIRA_API_TOKEN. This header is sent to the attachment.content URL. Because the script follows HTTP redirects and does not validate that the destination domain belongs to Atlassian, a malicious Jira ticket could trigger a request to an attacker-controlled server, resulting in the exfiltration of the Jira API token.
[COMMAND_EXECUTION]: The script scripts/fetch-pull-requests.js uses execSync to run the jira me command. This executes a shell process at runtime to retrieve configuration data, which increases the attack surface if the environment or tool output is manipulated.
[PROMPT_INJECTION]: The skill processes untrusted external data (Jira ticket summaries, descriptions, and comments) and presents it to the agent without sanitization. This creates a surface for indirect prompt injection.
Ingestion points: Raw JSON data from jira issue view processed by scripts/parse-ticket.js and scripts/download-attachment.js.
Boundary markers: Absent. There are no delimiters or instructions provided to the agent to disregard instructions within the ticket content.
Capability inventory: The agent has access to Bash (shell commands), Write (file creation), and Edit (file modification).
Sanitization: The adfToMarkdown function in scripts/parse-ticket.js converts structure but does not filter for instructional text or malicious patterns.
[PROMPT_INJECTION]: The SKILL.md file contains instructions that attempt to influence the agent's internal logic regarding environment variables ('verify at least 2 times before concluding it is not set'), which is a form of behavior override.

jira-ticket-viewer