Jira BUG Analysis Assistant[Jira-BUG分析助手]

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the stated Jira bug-reporting task, but it handles sensitive Jira credentials and repeatedly encourages unsafe TLS bypasses that could expose credentials or internal bug data.

Install only if you are comfortable granting read access to the selected Jira project. Prefer a least-privilege PAT over a password, avoid placing secrets directly in shell commands, keep TLS verification enabled, and treat generated HTML/Excel reports as confidential because they can contain internal issue summaries, assignees, reporters, labels, and timing data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill clearly instructs the agent to make outbound Jira and curl network requests, but no corresponding permissions are declared. Undeclared network capability is dangerous because it can bypass user/admin expectations and governance controls, especially when the skill also handles credentials and remote endpoints.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script exposes a --no-verify option that disables TLS certificate verification for Jira API requests, and it even suggests using it when SSL validation fails. This enables man-in-the-middle interception of Jira credentials, tokens, and returned bug data if the network path is hostile or compromised.

Credential Access

High

Category: Privilege Escalation
Content: **必填参数：** - **Jira Server URL**: 例如 `https://jira.company.com` - **认证方式**（二选一）： - Personal Access Token (PAT)（推荐） - 用户名 + 密码 - **Project Key**: Jira 项目标识，例如 `PROJ`
Confidence: 97% confidence
Finding: Access Token

External Script Fetching

High

Category: Supply Chain
Content: **Issue Type 自动检测**：如果脚本返回 0 条数据，可能是 Issue Type 名称不匹配。此时应通过 REST API 查询项目实际的 Issue Type 列表： ```bash curl -u <USER>:<PASS> -k <SERVER>/rest/api/2/project/<PROJECT_KEY> | python3 -c "import sys,json;[print(t['name']) for t in json.load(sys.stdin).get('issueTypes',[])]" ``` 如果发现实际名称为中文（如 `故障`、`缺陷`），用 `--issue-type` 参数指定后重新执行。
Confidence: 95% confidence
Finding: curl -u <USER>:<PASS> -k <SERVER>/rest/api/2/project/<PROJECT_KEY> | python

Tool Parameter Abuse

High

Category: Tool Misuse
Content: - **结束日期** (`--end-date`): 筛选此日期之前创建的 Bug，格式 YYYY-MM-DD - **Issue Type 名称** (`--issue-type`): 默认为 `Bug`。如果 Jira 实例使用中文或自定义名称（如 `故障`、`缺陷`），需指定实际名称。如果用户不确定，可先用 REST API 查询项目实际的 Issue Type 列表 - **Severity 自定义字段 ID** (`--severity-field`): 如果 Jira 实例中有「严重程度」自定义字段，提供其字段 ID（如 `customfield_10072`）。告诉用户可以在 Jira 管理后台的自定义字段页面找到此 ID - 如果用户的 Jira 使用自签名证书，需要添加 `--no-verify` 参数如果用户没有提供日期范围，建议默认使用最近 90 天。
Confidence: 96% confidence
Finding: --no-verify

Tool Parameter Abuse

High

Category: Tool Misuse
Content: [--start-date YYYY-MM-DD] \ [--end-date YYYY-MM-DD] \ [--severity-field customfield_NNNNN] \ [--no-verify] ``` 如果使用用户名密码认证，将 `--token` 替换为 `--username <USER> --password <PASS>`。
Confidence: 97% confidence
Finding: --no-verify

Tool Parameter Abuse

High

Category: Tool Misuse
Content: - 401 错误：提示用户检查认证凭据 - 403 错误：提示用户检查项目访问权限 - 连接错误：提示用户检查服务器 URL 和网络/VPN 连接 - SSL 错误：建议使用 `--no-verify` 参数 ## Step 4: Analyze the Data
Confidence: 95% confidence
Finding: --no-verify

Tool Parameter Abuse

High

Category: Tool Misuse
Content: **Issue Type 自动检测**：如果脚本返回 0 条数据，可能是 Issue Type 名称不匹配。此时应通过 REST API 查询项目实际的 Issue Type 列表： ```bash curl -u <USER>:<PASS> -k <SERVER>/rest/api/2/project/<PROJECT_KEY> | python3 -c "import sys,json;[print(t['name']) for t in json.load(sys.stdin).get('issueTypes',[])]" ``` 如果发现实际名称为中文（如 `故障`、`缺陷`），用 `--issue-type` 参数指定后重新执行。
Confidence: 98% confidence
Finding: curl -u <USER>:<PASS> -k

Tool Parameter Abuse

High

Category: Tool Misuse
Content: parser.add_argument("--end-date", help="Filter bugs created on/before this date (YYYY-MM-DD)") parser.add_argument("--max-results", type=int, default=1000, help="Max issues to fetch (default: 1000)") parser.add_argument("--page-size", type=int, default=100, help="Results per page (default: 100)") parser.add_argument("--no-verify", action="store_true", help="Disable SSL certificate verification") parser.add_argument("--severity-field", default="customfield_10072", help="Custom field ID for severity (default: customfield_10072)") parser.add_argument("--issue-type", default="Bug",
Confidence: 92% confidence
Finding: --no-verify

Tool Parameter Abuse

High

Category: Tool Misuse
Content: resp = session.post(url, json=payload, timeout=30) except requests.exceptions.SSLError as e: log(f"ERROR: SSL certificate verification failed: {e}") log("Hint: Use --no-verify for self-signed certificates.") sys.exit(1) except requests.exceptions.ConnectionError as e: log(f"ERROR: Cannot connect to {server}: {e}")
Confidence: 90% confidence
Finding: --no-verify

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal