Skills
skills/nicolas-codemate/claudecodeconfig/fetch-ticket/Gen Agent Trust Hub

fetch-ticket

Pass

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: Indirect prompt injection via external data ingestion.
  • Ingestion points: The skill fetches ticket summaries, descriptions, and comments from YouTrack (via MCP) and GitHub (via gh CLI) in SKILL.md.
  • Boundary markers: While the output is normalized into markdown sections, there are no specific instructions or delimiters to prevent the agent from following malicious commands embedded within ticket bodies or comments.
  • Capability inventory: The skill is designed to be used by other workflows (e.g., /resolve) which likely possess file-system access or execution capabilities.
  • Sanitization: No sanitization or filtering is applied to the fetched content before it is returned to the agent context.
  • [COMMAND_EXECUTION]: Shell command interpolation in branch verification.
  • Evidence: In SKILL.md, the retrieval process for YouTrack includes executing git ls-remote --heads origin "{extracted-branch}" 2>/dev/null.
  • Risk: The skill instructions specify extracting a YYYY-MM pattern from the milestone field. However, if the agent fails to strictly validate this pattern, a malicious milestone name in YouTrack could be crafted to perform command injection (e.g., using semicolons or backticks).
  • [DATA_EXFILTRATION]: Arbitrary file access and exposure.
  • Evidence: The 'File' source detection logic in SKILL.md allows the skill to read any file path provided as an 'Input ID' if the file exists on the system.
  • Risk: This can be abused to read sensitive files (such as .ssh/id_rsa or .env) by passing the file path as the ticket ID, leading to data exposure.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 29, 2026, 05:15 PM