ticket-grooming
Warn
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions include the use of CLI tools like
acliandghto manage ticket comments and metadata. Specifically, it prescribes shell commands such asacli jira workitem comment delete --key {KEY} --id {ID}where{KEY}and{ID}are variables retrieved from external ticketing systems. These inputs are not sanitized before being interpolated into shell strings, creating a potential vector for command injection if an attacker can manipulate ticket identifiers or keys.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from external sources.\n - Ingestion points: Ticket descriptions and comments are retrieved from Jira and GitHub (SKILL.md).\n
- Boundary markers: The sub-agent templates place external data under a
## Ticket Detailsheader, but they lack explicit instructions or delimiters to prevent the agent from executing instructions embedded within the ticket body.\n - Capability inventory: The sub-agents have extensive capabilities, including codebase indexing, knowledge graph searches (
mcp__codebase-memory-mcp__search_graph), call path tracing, and the ability to read arbitrary files and git logs.\n - Sanitization: There is no evidence of input validation or sanitization for ticket-derived data before it is interpolated into prompts or used in logic flows.\n- [DATA_EXFILTRATION]: The skill performs deep investigations of the local codebase, including reading files, database schemas, and git history. The results of these investigations are summarized and posted to external ticketing systems (Jira, GitHub). While this is the intended functionality, it establishes a data flow where sensitive architectural and logic details from a private codebase are systematically exported to external platforms.
Audit Metadata