jira-ticket

Security checks across malware telemetry and agentic risk

Overview

This skill transparently creates Jira tickets using your Jira credentials, with expected but real workspace-posting and data-sharing risk.

Install only if you want the agent to create Jira issues through your Jira account. Use a limited-scope Jira token or account where possible, keep the token private, and review the project, summary, labels, assignee, description, and any web-researched content before the ticket is created.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill performs an action that transmits user-provided content to an external Jira instance, but it does not include an explicit user-facing warning or confirmation step near execution. This is risky because sensitive internal data, research results, or mistakenly included secrets could be sent to a third-party service without sufficiently clear notice at the point of action.

External Transmission

Medium

Category: Data Exfiltration
Content: ## Phase 5 — Create the Ticket ```bash curl --http1.1 -s -X POST \ -u "$JIRA_EMAIL:$JIRA_API_TOKEN" \ -H "Content-Type: application/json" \ "$JIRA_BASE_URL/rest/api/3/issue" \
Confidence: 88% confidence
Finding: curl --http1.1 -s -X POST \ -u "$JIRA_EMAIL:$JIRA_API_TOKEN" \ -H "Content-Type: application/json" \ "$JIRA_BASE_URL/rest/api/3/issue" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal