bugzilla
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface for indirect prompt injection.
- Ingestion points: The agent retrieves untrusted data from
bugzilla.mozilla.orgthrough commands likesearchandget(documented inSKILL.mdandreferences/api-reference.md). - Capability inventory: The skill includes the
attachmentcommand which can read local files and upload them to the web, and theupdatecommand which modifies remote state. This combination allows for side-effects based on processed data. - Boundary markers: No specific delimiters or "ignore instructions" warnings are present in the examples provided to the agent for handling bug descriptions or comments.
- Sanitization: There is no evidence of sanitization or filtering of external content before it is processed by the agent's logic.
- [Data Exfiltration] (HIGH): The
attachmentcommand (uv run "$BZ" attachment <id> <file>) allows the agent to read arbitrary local files and transmit them to the Mozilla Bugzilla servers. If an attacker leverages an indirect prompt injection via a bug comment, they could force the agent to upload sensitive configuration files or SSH keys. - [Command Execution] (LOW): The skill relies on executing a local Python script (
bz.py) via theuv runcommand. While this is the intended functionality, it grants the agent the ability to execute shell commands with user-provided arguments.
Recommendations
- AI detected serious security threats
Audit Metadata