confluence
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill is designed to read and modify external Confluence pages, creating a significant attack surface for indirect prompt injection. Malicious instructions placed on a Confluence page could manipulate the agent's behavior during processing.\n
- Ingestion points: Untrusted page content is fetched into the agent context via 'get_page_adf' in almost all modification scripts (e.g., 'add_list_item.py', 'add_table_row.py').\n
- Boundary markers: No delimiters or explicit instructions are used to distinguish between data and commands when the agent processes retrieved text.\n
- Capability inventory: The skill can write back to Confluence ('update_page_adf'), upload attachments ('upload_attachment'), and execute structural modifications.\n
- Sanitization: No evidence of input validation or sanitization is present in the scripts before retrieved content is interpolated into internal logic.\n- [Unverifiable Dependencies] (MEDIUM): The skill relies on internal modules 'confluence_adf_utils.py' and 'mcp_json_diff_roundtrip.py' that are not included in the provided file set. These missing files contain critical logic for authentication, API communication, and document patching, making it impossible to verify the security of the skill's core operations.
Recommendations
- AI detected serious security threats
Audit Metadata