dev-fix
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions direct the agent to interpolate user-provided input directly into shell commands without explicit sanitization or escaping instructions. Specifically, the JIRA ticket key is used to construct a directory path and a branch name in a git command, which could be exploited for command injection if a malicious string is provided as the ticket key.
- Evidence:
git worktree add ../<ticket-key> -b fix/<ticket-key>in SKILL.md. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it retrieves and processes data from external sources (JIRA and Confluence) that may be controlled by an attacker.
- Ingestion points: JIRA bug reports (Reproduce steps, Expected/Actual results) and Confluence logic/specs (SKILL.md).
- Boundary markers: There are no explicit instructions or delimiters used to isolate external content from the agent's core instructions.
- Capability inventory: The skill has broad capabilities, including executing shell commands (
git), running local development servers, and utilizing UI automation tools like Playwright and Appium. - Sanitization: No sanitization or validation logic is defined for the content fetched from JIRA or Confluence.
- Mitigation: The risk is partially mitigated by a mandatory "HARD STOP" requiring the user to approve the implementation plan before the agent proceeds to modify code.
Audit Metadata