dev-fix

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructions direct the agent to interpolate user-provided input directly into shell commands without explicit sanitization or escaping instructions. Specifically, the JIRA ticket key is used to construct a directory path and a branch name in a git command, which could be exploited for command injection if a malicious string is provided as the ticket key.
  • Evidence: git worktree add ../<ticket-key> -b fix/<ticket-key> in SKILL.md.
  • [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it retrieves and processes data from external sources (JIRA and Confluence) that may be controlled by an attacker.
  • Ingestion points: JIRA bug reports (Reproduce steps, Expected/Actual results) and Confluence logic/specs (SKILL.md).
  • Boundary markers: There are no explicit instructions or delimiters used to isolate external content from the agent's core instructions.
  • Capability inventory: The skill has broad capabilities, including executing shell commands (git), running local development servers, and utilizing UI automation tools like Playwright and Appium.
  • Sanitization: No sanitization or validation logic is defined for the content fetched from JIRA or Confluence.
  • Mitigation: The risk is partially mitigated by a mandatory "HARD STOP" requiring the user to approve the implementation plan before the agent proceeds to modify code.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 10:17 PM
Security Audit — agent-trust-hub — dev-fix