verify-bug
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests 'Reproduce steps' and 'Expected Result' from an external JIRA ticket to drive automated browser actions.
- Ingestion points: JIRA ticket URL/key parsed in
SKILL.md(Step 0). - Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the ticket data.
- Capability inventory: Execution of browser automation via
playwright-cliandAppium(Step 1), and the ability to comment on and transition JIRA ticket statuses (Step 3). - Sanitization: No evidence of sanitization, validation, or escaping of the reproduction steps before they are executed in the browser session.
- [DATA_EXFILTRATION]: The workflow explicitly instructs the agent to 'Fetch Test Data' from Confluence and 'Parse credentials'. This pattern encourages the storage and retrieval of plaintext credentials from a shared wiki platform, which exposes secrets to the agent's context and potentially to JIRA comments or system logs.
- [COMMAND_EXECUTION]: The skill utilizes shell-based tools like
playwright-cliandAppiumwith interpolated variables ({TICKET},{MARKET}) derived from external JIRA data. This represents a potential command injection surface if the ticket key or market metadata is manipulated by an attacker.
Audit Metadata