orchestrating-jira-workflow

Warn

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill's preflight manifest identifies 17 external skill dependencies. While one dependency is from a trusted organization (vercel-labs), many others are sourced from unverified third-party GitHub accounts (including obra, softaworks, blader, sickn33, and wshobson), creating a significant supply chain risk surface.
  • [COMMAND_EXECUTION]: The codebase-inspector subagent utilizes the git CLI to perform repository state checks, branch listing, and diff summaries.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests and processes untrusted data from Jira tickets (descriptions, comments, and metadata) which are then used to drive planning and execution phases.
  • Ingestion points: Untrusted content from Jira is retrieved and stored in docs/<TICKET_KEY>.md.
  • Boundary markers: The orchestrator relies on Markdown headings to structure ticket snapshots but lacks explicit delimiters or instructions to ignore embedded commands within the ticket data.
  • Capability inventory: The workflow possesses broad capabilities including codebase search, branch management, and implementation through various subagents and skills.
  • Sanitization: No sanitization or validation of the retrieved Jira content is performed before it is analyzed by downstream planning skills.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 12, 2026, 02:47 PM
Security Audit — agent-trust-hub — orchestrating-jira-workflow