ticket
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the installation of a third-party CLI tool using
go install github.com/wedow/ticket/cmd/tk@latest. The GitHub userwedowis not on the list of trusted organizations or repositories, making this an unverifiable dependency that could lead to remote code execution. - [COMMAND_EXECUTION] (MEDIUM): The skill operates by executing the
tkCLI tool with various subcommands. The arguments for these commands (such as ticket titles, descriptions, and acceptance criteria) are often provided by the user, which could potentially be used for argument injection depending on how the underlying system handles these calls. - [DATA_EXPOSURE] (SAFE): The skill manages data locally within a
.tickets/directory. There is no evidence of sensitive system file access (e.g., SSH keys, credentials) or unauthorized network exfiltration. - [PROMPT_INJECTION] (LOW): The skill has an attack surface for indirect prompt injection. Since it reads ticket content (markdown) from the local file system and displays it to the agent, a malicious ticket could contain instructions designed to manipulate the agent's behavior. Evidence:
- Ingestion points: Reads files from
.tickets/viatk showandtk ls. - Boundary markers: None specified in the instructions.
- Capability inventory: Executes system commands via the
tkCLI. - Sanitization: No sanitization of ticket content is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata