The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The scripts/setup.sh file explicitly instructs and provides commands for users to append their Jira API token in plain text to shell configuration files (~/.zshrc or ~/.bashrc). Storing long-lived credentials in shell profiles is a high-risk practice as these files are frequently targeted by local malware and may be accidentally synchronized or backed up insecurely.
[COMMAND_EXECUTION] (MEDIUM): Several scripts (scripts/create-ticket.py, scripts/start-work.py) use subprocess.run to execute git and gh (GitHub CLI) commands. While some sanitization (like slugify) is applied to branch names, other fields such as ticket summaries are directly interpolated into command arguments. This creates a surface for argument injection if the external data from Jira contains malicious payloads designed to manipulate CLI flags.
[DATA_EXFILTRATION] (LOW): The scripts/jira_config.py file contains a hardcoded default URL https://ihkreddy.atlassian.net. While not a credential, hardcoding specific external domains for data routing is a poor practice and could lead to accidental data exposure to the author's instance if a user fails to provide their own configuration.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from Jira tickets and uses it to drive local development actions.
Ingestion points: scripts/fetch-ticket.py and scripts/start-work.py retrieve ticket summaries, descriptions, and comments via the Jira REST API.
Boundary markers: None. Data is processed directly without delimiters or instructions to the agent to ignore embedded commands.
Capability inventory: The skill can create/checkout git branches, push code to remote repositories, and create GitHub Pull Requests using subprocess.run and gh CLI.
Sanitization: The slugify function in start-work.py uses regex [^\w\s-] to sanitize branch names, which provides some protection against command injection in those specific calls.

work-on-ticket