address-ticket

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt explicitly instructs the agent to AskUserQuestion for Atlassian credentials (email and API token) and to use them directly in curl commands (basic auth and Authorization headers), which requires the LLM to handle and potentially embed secret values verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly downloads and analyzes user-provided JIRA attachments via the Jira REST API and retrieves/inspects Figma design URLs/files (via the GraphQL call and fcli), then passes those files and their extracted content to spawned agents as required workflow context, which exposes the agent to untrusted, user-generated third-party content that could carry indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly downloads Jira attachments at runtime via URLs like "https://.atlassian.net/rest/api/3/attachment/content/" (and also queries "https://tablecheck.atlassian.net/gateway/api/graphql" and Figma file URLs) and then passes those fetched files/URLs into spawned agents (PO, designers, test authors) as core context, so external content can directly control agent prompts.