Work on Ticket
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill contains 'CRITICAL' instructions and 'FAILURE' warnings designed to override the model's fundamental behavior regarding code structure and commenting styles. These are used to bypass the agent's standard reasoning and enforce strict, arbitrary constraints.
- [COMMAND_EXECUTION] (HIGH): The skill executes
/eng:choreandgitcommands using data ([TICKET_ID],[CONSTRUCTED_PROMPT]) retrieved from an external Jira ticket. An attacker who can modify a Jira ticket could inject malicious shell commands or control character sequences into these parameters, leading to unintended command execution in the user's local environment. - [DATA_EXFILTRATION] (MEDIUM): The skill reads external content via the Zapier MCP tool and sends it into a task planning workflow (
/eng:chore). If the ticket content is malicious, it could be used to trick the agent into exfiltrating local environment data or secrets during the 'task planning' phase. - [INDIRECT PROMPT INJECTION] (HIGH):
- Ingestion points: Fetches ticket details (summary, description) via
mcp__zapier-frontend__jira_software_cloud_find_issue_by_keyinSKILL.md. - Boundary markers: None. External content is directly interpolated into prompt strings.
- Capability inventory: Execution of shell commands (
git checkout,git pull), slash commands (/eng:chore), and branch creation. - Sanitization: None. The summary is converted to kebab-case for branch names, but the description is used raw in the
/eng:chorecommand.
Recommendations
- AI detected serious security threats
Audit Metadata