atlassian-cli

clawhub:atlassian-cli

View source

77/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

77/100

HIGH 1

MEDIUM 1

Findings (2)

HIGH

Autonomous agent spawning PROMPT_INJECTION_017

prompt-injection L85

Detects autonomous sub-agent or cron-based execution without human oversight

unattended execution + unattended

FIX

Remove directives that force the agent to call specific tools or APIs not required for the skill's stated functionality. Tool calls should be determined by user intent, not embedded directives.

FP?

Likely FP if the skill legitimately needs to call other tools as part of its workflow (e.g., a deployment skill that calls git and cloud CLI tools).

MEDIUM

Conditional download and install EXTDL_014

external-download L21

Detects patterns that check for tool existence and install if missing

If acli is not installed, guide the user to: https://developer.atlassian.com/cloud/acli/guides/install

FIX

Replace conditional download-and-install logic with explicit dependency declarations in a manifest file (package.json, requirements.txt). Verify checksums for any runtime downloads.

FP?

Likely FP if the conditional install is documentation showing standard prerequisite checks (e.g., checking if a tool is installed before installing it).