The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The workflow instructions (Step 0.3) explicitly direct the agent to fetch test data from Confluence and "Parse credentials". Handling credentials through external wikis/documentation instead of secure environment variables or a vault is an unsafe practice that risks exposing secrets to the agent's logs or context.
[COMMAND_EXECUTION]: The skill requires the agent to execute shell commands such as playwright-cli and Appium. The execution environment is directly influenced by parameters (TICKET, MARKET) parsed from external Jira tickets, creating a command injection risk if the source data is malicious.
[DATA_EXFILTRATION]: The skill metadata and reference section contain an absolute local file path (file:///Users/nguyenhuyhoang/Projects/...). This discloses the author's local username and internal directory structure. In an agentic context, referencing file:// URIs can be used to probe the local filesystem of the machine running the agent.
[PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection because it ingests untrusted data to drive automated actions.
Ingestion points: The agent reads 'Reproduce steps' from Jira tickets and 'Test data' from Confluence pages (Step 0).
Boundary markers: None. There are no instructions to the agent to treat external content as data only or to ignore embedded instructions.
Capability inventory: The agent has the ability to execute shell commands via playwright-cli, transition Jira ticket statuses, and post comments to Jira.
Sanitization: No sanitization, escaping, or validation logic is defined for the content fetched from Jira or Confluence before it is used to drive the automation workflow.

verify-bug