jira-fix-workflow
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Dynamic Skill Discovery and Invocation. The skill includes logic to scan the host environment (e.g., Claude Code, Cursor, OpenCode) for other installed skills or agents using keywords such as 'debug', 'test', 'review', and 'plan'.
- Evidence: The 'Environment Ability Exploration' section in 'SKILL.md' describes scanning the system prompt's available items or using the 'skill' tool to populate 'enhanced_capabilities' in a local 'state.json' file. These discovered components are then dynamically invoked during specific stages of the workflow.
- [COMMAND_EXECUTION]: Automated Development Operations. The skill utilizes shell commands (bash) to perform end-to-end development tasks.
- Evidence: Stages 5 through 8 involve branch creation ('git checkout -b'), running project-specific test suites (e.g., 'npm test', 'pytest', 'go test'), and using platform CLIs ('gh' or 'glab') to create and merge Pull/Merge Requests.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill processes data from external Jira issues which acts as a primary source of instructions for its automated code modifications.
- Ingestion Point: Stage 1 ('jira_get_issue') reads titles, descriptions, and comments from an external API.
- Boundary Markers: Stage 1.5 ('Understanding Alignment') is designed to mitigate interpretation errors in manual mode but is explicitly skipped in 'auto' mode, where the agent proceeds directly to execution.
- Capability Inventory: The skill has 'Edit/Write' access to the code base and 'Bash' execution privileges.
- Sanitization: There is no evidence of explicit content sanitization or the use of boundary delimiters to ignore potential instructions embedded in Jira content.
Audit Metadata