jira
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection attacks because it processes data from an external Jira instance.\n
- Ingestion points: Untrusted data enters the agent context via
scripts/jira-view.sh(issue details and comments),scripts/jira-list.sh, andscripts/jira-search.sh.\n - Boundary markers: No boundary markers or specific 'ignore embedded instructions' warnings are used when presenting Jira content to the agent.\n
- Capability inventory: The skill has extensive capabilities including subprocess calls to the
jiraCLI for creating (jira-create.sh), updating (jira-update.sh), and transitioning (jira-transition.sh) issues, as well as raw API access (jira-api.sh).\n - Sanitization: Scripts use
jqto parse and build JSON structures, providing protection against typical injection in those fields, but the text content of issues is not sanitized or escaped to prevent command-like behavior in the LLM.\n- [COMMAND_EXECUTION]: A command injection vulnerability exists inscripts/jira-create.shdue to unquoted variable expansion.\n - Evidence: In
scripts/jira-create.sh, the commandLABEL_OUTPUT=$(jira labels set "$ISSUE_KEY" $ALL_LABELS 2>&1)expands the$ALL_LABELSvariable without quotes. If the agent is manipulated into passing a string containing shell metacharacters (e.g., semicolons or backticks) as a label, it will lead to arbitrary code execution in the shell.\n- [EXTERNAL_DOWNLOADS]: The skill requires the installation of an external CLI tool.\n - Evidence: Documentation and error messages in
scripts/_config.shandSKILL.mddirect users to install thego-jiraCLI from its official GitHub repository usingbrew installorgo install. This is documented neutrally as a requirement for the skill's primary purpose.
Audit Metadata