kairos-development
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes external markdown files from the
docs/examples/directory. - Ingestion points: Protocol markdown files within
docs/examples/are read by the agent to perform 'imports' and 'workflows'. - Boundary markers: The prompt lacks explicit delimiters or instructions to treat the content of the protocol files strictly as data, increasing the risk that the agent may follow instructions embedded within those files.
- Capability inventory: The agent can interact with the KAIROS MCP tools (e.g.,
kairos_update,kairos_mint) and has write access to thereports/directory. - Sanitization: There is no evidence of sanitization or validation logic applied to the content of the markdown files before they are processed by the agent.
- [COMMAND_EXECUTION]: The documentation references various shell commands such as
npm run dev:deploy,npm run dev:ai-mcp-integration, andnpm run dev:test. Although the instructions include strict prohibitions against the agent executing shell commands ('MUST NEVER Run shell commands'), the presence of these commands in the context provides a potential vector for execution if constraints are bypassed.
Audit Metadata