atlassian
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a significant attack surface for indirect prompt injection because it is designed to read and process content from external, potentially attacker-controlled sources.
- Ingestion points: The skill reads data from Confluence pages and Jira issues via
scripts/confluence_api.py(read command),scripts/jira_api.py(read command), andscripts/debug_adf.py(fetch_raw_adffunction). - Boundary markers: There are no explicit delimiters or instructions within the scripts to treat the ingested data as untrusted or to ignore embedded instructions.
- Capability inventory: The skill has high-privilege capabilities including updating/creating Confluence pages and uploading attachments (
scripts/confluence_api.py). - Sanitization: No sanitization or filtering logic is present to remove or neutralize natural language instructions from the retrieved Atlassian data before processing by the agent.
- [External Downloads] (LOW): The setup documentation instructs users to download a font file from a trusted external source.
- Evidence:
README.mdusescurlto fetchNotoSansCJKkr-Regular.otffrom thegooglefontsorganization on GitHub. Per [TRUST-SCOPE-RULE], this is classified as LOW severity. - [Command Execution] (LOW): The skill utilizes standard system commands for environment setup and font management.
- Evidence:
README.mdcontains instructions forfc-cache -fandfc-list, which are standard utilities and not inherently malicious in this context. - [Data Exposure & Exfiltration] (SAFE): The skill uses environment variables (
ATLASSIAN_API_TOKEN) for authentication, which is standard practice. Network operations are targeted at Atlassian APIs as per the skill's stated purpose.
Recommendations
- AI detected serious security threats
Audit Metadata