jira-communication
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it retrieves and processes untrusted content from Jira issues (e.g., descriptions and comments). An attacker could place malicious instructions within a Jira issue that the agent then reads and potentially follows.
- Ingestion points:
scripts/core/jira-issue.py,scripts/utility/jira-qa-gather.py, andscripts/workflow/jira-comment.py. - Boundary markers: No delimiters or protective instructions are used when presenting external data to the agent.
- Capability inventory: The skill has access to the
Bashtool (allowing shell commands) and file system operations. - Sanitization: The skill performs JQL escaping but does not sanitize or escape issue content for the agent's prompt context.- [COMMAND_EXECUTION]: The script
scripts/core/jira-validate.pyexecutesuv --versionto verify the runtime environment. This is a legitimate and safe operation using a fixed command.- [SAFE]: The skill incorporates several security best practices: - Credential Hardening: Jira credentials are stored in
~/.env.jiraor~/.jira/profiles.jsonusing restricted filesystem permissions (0600) viascripts/core/jira-setup.py. - Data Redaction: The
_sanitize_errorfunction inlib/client.pyandscripts/core/jira-setup.pyensures that sensitive tokens and passwords are redacted from error messages. - SSRF Protection:
scripts/core/jira-attachment.pyvalidates that attachment URLs correspond to the configured Jira instance before making requests. - Path Traversal Protection: The download functionality in
scripts/core/jira-attachment.pyvalidates that output paths remain within the current working directory. - Credential Safety on Redirects: When downloading attachments, the skill follows redirects without forwarding authentication headers to third-party CDNs.
Audit Metadata