atlassianapi

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill's authentication examples place API tokens and passwords as literal string values (e.g., HTTPBasicAuth('email@example.com', 'API_TOKEN') and password='API_TOKEN') and show them passed directly into requests, which encourages embedding and outputting secrets verbatim and thus creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's "Sync GitHub PR to Jira" automation recipe explicitly consumes GitHub PR data (pr_data: branch name, title, html_url, draft flag), which is user-generated third-party content that the agent reads and acts on.