kamal
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill allows the agent to execute arbitrary commands on remote servers and within containers via
kamal server execandkamal app exec. While this is the primary purpose of the tool, it represents a high-privilege capability that could be abused if the agent is misdirected. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructions specify
gem install kamalwithout pinning a specific version. Installing unversioned packages from external registries can lead to supply chain vulnerabilities. - [CREDENTIALS_UNSAFE] (MEDIUM): The configuration reference suggests disabling SSH host key verification using
StrictHostKeyChecking: noandUserKnownHostsFile: /dev/null. This is a dangerous security anti-pattern that removes protection against Man-in-the-Middle (MITM) attacks during deployment. - [PROMPT_INJECTION] (LOW): The skill exhibits an indirect prompt injection surface by processing untrusted data from configuration files and hook scripts. Evidence:
- Ingestion points:
config/deploy.yml,.kamal/hooks/pre-deploy. - Boundary markers: Absent; there are no delimiters to separate instructions from data.
- Capability inventory: Includes full remote command execution (
server exec,app exec). - Sanitization: Absent; the skill does not mention validating or escaping content from configuration files before execution.
- Ingestion points:
Audit Metadata