The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill provides an attack surface where malicious instructions embedded in Jira tickets can control the agent.
Ingestion points: Commands such as acli jira workitem view, acli jira workitem search, and acli jira workitem comment list fetch data from external, potentially attacker-controlled sources.
Boundary markers: Absent. There are no delimiters or instructions provided to help the agent distinguish between Jira data and its own system instructions.
Capability inventory: The skill has access to the Bash tool and can modify Jira state via create, edit, transition, and comment commands.
Sanitization: No evidence of data sanitization or validation is present in the skill instructions.
Command Execution (MEDIUM): The skill relies extensively on the Bash tool. If untrusted Jira ticket content is interpolated into shell commands without strict escaping, it could lead to command injection on the host system.
External Downloads (LOW): The skill depends on the Atlassian CLI (acli). While the installation script is not included in this file, the skill references official Atlassian developer documentation (developer.atlassian.com), which is a reputable source. Per the Trust-Scope-Rule, this finding is downgraded to LOW but does not affect the HIGH severity of the ingestion surface.

atlassian