jira-ticket-prioritizer

Warn

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions in SKILL.md (Step 1) interpolate user-provided arguments into a shell command: jira issue list --jql "TICKET_INPUT". Because TICKET_INPUT is derived directly from $ARGUMENTS, a maliciously crafted input containing shell metacharacters (e.g., backticks, $(...), or terminating quotes and semicolons) could allow for arbitrary command execution on the host system.\n- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it fetches and processes untrusted data from external JIRA tickets to drive its logic.\n
  • Ingestion points: Raw JIRA ticket data (summary, description) is fetched via the jira CLI and saved to .jira-ticket-prioritizer-tmp/tickets/.\n
  • Boundary markers: Absent. The skill does not instruct the agent to use delimiters or specific safety instructions when analyzing the ticket content for dependencies or priority.\n
  • Capability inventory: The skill has access to Bash, Read, Write, and Glob tools, and it makes decisions about code repository assignments and sprint planning based on the input.\n
  • Sanitization: Absent. No filtering or sanitization of the ticket text is performed before it is analyzed by the LLM.\n- [REMOTE_CODE_EXECUTION]: The skill executes a Node.js script from a sibling directory in Step 2: node ${CLAUDE_SKILL_DIR}/../jira-ticket-viewer/scripts/parse-ticket.js. This creates a dependency on external code outside of the skill's own directory structure, which may lead to the execution of unverified logic if that skill is compromised or missing.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 26, 2026, 07:51 AM
Security Audit — agent-trust-hub — jira-ticket-prioritizer