jira-to-beads
Fail
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): Step 3 of the workflow in SKILL.md explicitly directs the agent to execute a script located in a cache directory: python .cache/create_beads_from_jira.py. Cache locations are insecure for storing and executing code because their contents are often transient and can be influenced by previous tasks or external processes.
- [DYNAMIC_EXECUTION] (MEDIUM): The script scripts/export_jira_assigned.py modifies sys.path at runtime using a brittle path traversal (Path(file).resolve().parents[4]). This dynamic loading mechanism could lead to the execution of unintended modules if the repository structure is altered or accessed maliciously.
- [INDIRECT_PROMPT_INJECTION] (LOW): This skill presents an attack surface for indirect prompt injection via external JIRA data. 1. Ingestion points: The skill reads JSON data containing ticket summaries and keys exported from jira.sil.org. 2. Boundary markers: No boundary markers or ignore-instructions are used to isolate the external ticket content. 3. Capability inventory: The skill has the capability to execute shell commands and write to the filesystem. 4. Sanitization: No sanitization logic is present to filter malicious instructions within JIRA ticket fields before they are processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata