Skills
skills/atlassian/forge-skills/forge-app-builder/Gen Agent Trust Hub

forge-app-builder

Warn

Audited by Gen Agent Trust Hub on Apr 15, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/deploy_forge_app.py utilizes subprocess.run with shell=True to execute commands. These commands are constructed using string interpolation of arguments like the Atlassian site URL and the application directory path. This pattern is vulnerable to shell command injection if the agent passes unvalidated or malicious inputs into these parameters.
  • [EXTERNAL_DOWNLOADS]: The skill fetches application template data from an Atlassian-managed registry located at forge-templates.us-west-2.prod.public.atl-paas.net.
  • [EXTERNAL_DOWNLOADS]: Node.js dependencies specified in package-lock.json are resolved from the Atlassian-owned npm registry at packages.atlassian.com.
  • [SAFE]: The skill incorporates critical safety rules in SKILL.md (Rule 4 and Step 0) that explicitly instruct the agent never to request or accept sensitive Atlassian API tokens in chat, instead directing users to a secure, terminal-based authentication process.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 15, 2026, 11:01 AM