jira-communication
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The
jira-validate.pyscript usessubprocess.runto check the version of theuvtool. The command is static (uv --version) and is used solely for runtime environment verification. - [EXTERNAL_DOWNLOADS]: The
jira-attachment.pyscript supports downloading issue attachments. It implements host-validation checks to ensure downloads originate from the configured Jira instance (mitigating SSRF) and verifies that output paths do not escape the working directory (mitigating path traversal). - [CREDENTIALS_UNSAFE]: The skill facilitates the storage of Jira API tokens and Personal Access Tokens in
~/.env.jiraor~/.jira/profiles.json. The setup script explicitly enforces restrictive0600(owner-only) filesystem permissions on these files, aligning with industry standards for CLI tool configuration. - [DATA_EXFILTRATION]: While the skill performs network operations to reach Jira APIs, it includes a dedicated
_sanitize_errorutility to redact authorization headers, bearer tokens, and passwords from any error messages that might be displayed or logged.
Audit Metadata