skills/mgiovani/cc-arsenal/jira-cli/Snyk

jira-cli

Warn

Audited by Snyk on Mar 26, 2026

Risk Level: MEDIUM

Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

Third-party content exposure detected (high risk: 1.00). The skill explicitly includes a script that fetches and parses external GitHub PR data (references/scripting.md — "Auto-Transition Based on PR Status" using gh pr list and PR titles/URLs) and then automatically transitions and links Jira issues, so untrusted, user-generated third-party content is read and can directly drive tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

Potentially malicious external URL detected (high risk: 0.70). The GitHub Actions example downloads and installs a binary at runtime from https://github.com/ankitpokhrel/jira-cli/releases/latest/download/jira_linux_amd64.tar.gz which fetches remote executable code that is then run as a required dependency for the workflow.

Issues (2)

W011

MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012

MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

Audit Metadata

Risk Level

MEDIUM

Analyzed

Mar 26, 2026, 08:42 PM

Issues

2