jira-communication

Name: jira-skill/jira-communication
Author: netresearch

Share on X Share on LinkedIn Share on Bluesky

100Critical

The skill requests excessive workspace-wide write permissions and insecurely mandates storing sensitive Jira credentials in predictable local files vulnerable to exfiltration by malicious processes.

ThreatsCI SM CS BC S HITL

Threat Analysis

AI Agent Traps ↗Scanned 6/22/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoningclean

Cognitive StateMemory & Learningclean

Behavioural ControlAction3 findings

SystemicMulti-Agent Dynamicsclean

Human-in-the-LoopHuman Overseerclean

Skill Info

Namenetresearch/jira-skill/jira-communication

Registrygithub

Version1e7d13afa8b6

PURLpkg:github/netresearch/jira-skill@1e7d13afa8b6?skill=jira-communication

Stars64

Installs238

Source

Repository ↗SKILL.md ↗

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

GitHub

238 installs

Skills.shDocs

npx skills add https://github.com/netresearch/jira-skill

Assessments (1)

AI Agent Traps ↗

Access to known credential file paths detectedcriticalcredential theftAML.T0055AML.T0037LLM02:2025

Access to known credential file paths detected

100% confidenceline 84

~/.env

Credential exposure via configuration fileshighcredential theftAML.T0055AML.T0037LLM02:2025

The skill instructs the user to store sensitive Jira API tokens and credentials in '~/.env.jira' or '~/.jira/profiles.json', which are common targets for exfiltration by other malicious processes or skills.

90% confidence

Config via ~/.env.jira or ~/.jira/profiles.json.

Over-privileged tool accessmediumdescription mismatchAML.T0011.000LLM06:2025LLM09:2025

The skill requests 'Write' access to the entire workspace, which is excessive for a Jira communication tool that should ideally only interact with the Jira API and local configuration files.

70% confidenceline 10

allowed-tools: Bash(python:*) Bash(uv:*) Read Write

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/github/netresearch/jira-skill/jira-communication.svg)](https://mondoo.com/ai-agent-security/skills/github/netresearch/jira-skill/jira-communication)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/github/netresearch/jira-skill/jira-communication"><img src="https://mondoo.com/ai-agent-security/api/badge/github/netresearch/jira-skill/jira-communication.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/github/netresearch/jira-skill/jira-communication.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow