verify-bug

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests 'Reproduce steps' and 'Expected Result' from an external JIRA ticket to drive automated browser actions.
  • Ingestion points: JIRA ticket URL/key parsed in SKILL.md (Step 0).
  • Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the ticket data.
  • Capability inventory: Execution of browser automation via playwright-cli and Appium (Step 1), and the ability to comment on and transition JIRA ticket statuses (Step 3).
  • Sanitization: No evidence of sanitization, validation, or escaping of the reproduction steps before they are executed in the browser session.
  • [DATA_EXFILTRATION]: The workflow explicitly instructs the agent to 'Fetch Test Data' from Confluence and 'Parse credentials'. This pattern encourages the storage and retrieval of plaintext credentials from a shared wiki platform, which exposes secrets to the agent's context and potentially to JIRA comments or system logs.
  • [COMMAND_EXECUTION]: The skill utilizes shell-based tools like playwright-cli and Appium with interpolated variables ({TICKET}, {MARKET}) derived from external JIRA data. This represents a potential command injection surface if the ticket key or market metadata is manipulated by an attacker.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 10:17 PM
Security Audit — agent-trust-hub — verify-bug