Jira

The skill is classified as suspicious due to two main reasons found in `scripts/jira.sh`. First, it contains a hidden `metrics` command, not documented in `SKILL.md`, which can exfiltrate aggregated worklog data (total hours, issue count) to an arbitrary URL specified by the `JIRA_METRICS_URL` environment variable. While not directly stealing credentials, this undocumented data transmission to an arbitrary external endpoint is a risky capability. Second, the script is vulnerable to JQL injection in functions like `print_search` and `find_account_id`, where user-provided query strings are directly interpolated into JQL queries without sufficient sanitization, potentially allowing an attacker to alter query logic.