confluence
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest data from an external, potentially attacker-controlled source (Confluence) and use it within the agent context. This satisfies the conditions for a high-risk indirect injection surface.
- Ingestion points: Data is ingested via
confluence.get_page_by_id,confluence.get_page_by_title, andconfluence.get_all_pages_from_space(SKILL.md). - Boundary markers: No boundary markers or instructions to ignore embedded commands are present in the documentation or logic.
- Capability inventory: The skill allows access to
Bash,Write, andEdittools, as well as programmatic API access to modify external documentation. - Sanitization: There is no evidence of sanitization or validation of the HTML/text content retrieved from Confluence before processing.
- Command Execution (HIGH): The skill grants the agent access to the
Bashtool. While necessary for some operations, in conjunction with the ability to read external documentation, it allows an attacker to execute arbitrary commands by placing them in a Confluence page that the agent is instructed to read. - Data Exfiltration (MEDIUM): The skill has the capability to read local files (as seen in the
/confluence-publishcommand example) and send them to an external domain (Atlassian). This could be exploited to exfiltrate sensitive local data if the agent is tricked via prompt injection.
Recommendations
- AI detected serious security threats
Audit Metadata