The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is highly vulnerable to indirect injection because it reads untrusted data from an external source (JIRA) and has the capability to perform side-effect actions based on that data.
Ingestion points: Commands like jira-as collaborate comment list and jira-as collaborate activity bring external, user-controllable text into the agent's context.
Boundary markers: There are no instructions or delimiters defined to help the agent distinguish between legitimate data and malicious instructions embedded within JIRA comments.
Capability inventory: The skill can execute comment add/update/delete, attachment upload, and notify commands. An attacker could use a malicious JIRA comment to trick the agent into deleting data or exfiltrating sensitive local files via the upload feature.
Sanitization: No evidence of input sanitization or output encoding is provided in the skill definition.
Unverifiable Dependencies (MEDIUM): The skill relies on an external CLI utility jira-as. The author jira-assistant-skills is not on the list of trusted organizations, and the skill does not provide a verifiable source for this binary, posing a supply chain risk.
Command Execution (LOW): The skill requests Bash tool permissions to run the jira-as CLI. While necessary for functionality, this provides a primitive that could be abused if the CLI itself is vulnerable to argument injection from the JIRA data it processes.

jira-collaboration