Skills
skills/gannonh/kata-orchestrator/kata-complete-milestone/Gen Agent Trust Hub

kata-complete-milestone

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill performs dynamic execution by retrieving shell commands from the pre_release_commands array in .planning/config.json and executing them using eval within the milestone-complete.md workflow. This allows for arbitrary command execution based on local project configuration.
  • [COMMAND_EXECUTION]: The skill uses eval to execute the output of scripts/manage-worktree.sh, a local utility script used for managing git worktrees.
  • [COMMAND_EXECUTION]: The skill makes extensive use of bash commands for git operations (checkout, tag, push), file system management (find, sed, awk, cat), and GitHub CLI interactions (gh pr create, gh release create, gh api).
  • [REMOTE_CODE_EXECUTION]: The skill executes npm test, which runs arbitrary scripts defined within the project's package.json file. This represents an execution of code that may be controlled by project dependencies or previous project state.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8). It ingests potentially untrusted data from project files and history to generate automated content.
  • Ingestion points: .planning/ROADMAP.md, .planning/REQUIREMENTS.md, and git commit messages.
  • Boundary markers: Not consistently employed when extracting phase summaries or accomplishments.
  • Capability inventory: The skill has the ability to write to the file system, perform git commits/tags, and create GitHub Pull Requests and Releases.
  • Sanitization: No explicit sanitization or escaping of the ingested markdown content is performed before it is interpolated into PR bodies or archive files.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 12:00 PM