kata-add-issue
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
bashshell to manage local file structures, perform git commits, and interact with the GitHub CLI (gh). - [COMMAND_EXECUTION]: Variables derived from LLM-extracted conversation content (such as
[title],[problem], and[solution]) are interpolated into shell commands. This pattern is susceptible to command injection if the conversation data contains shell metacharacters (e.g., semicolons, backticks, or pipes) that are not properly sanitized before execution. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8). It ingests untrusted data from the conversation history (ingestion point:
SKILL.mdvia extraction step) and writes it to persistent markdown files in the.planning/issues/directory. These files lack strict boundary markers or sanitization and may be processed by other AI agents in the future, potentially leading to the execution of embedded instructions. - [REMOTE_CODE_EXECUTION]: The skill executes a script from a relative path (
../kata-configure-settings/scripts/read-config.sh). This introduces a dependency on external code located outside the skill's own directory, the integrity of which cannot be verified within this skill's context. - [EXTERNAL_DOWNLOADS]: The skill performs network operations by invoking the GitHub CLI (
gh) to create labels and issues on remote repositories. While targeting a well-known service, this capability could be abused if the repository context is manipulated.
Audit Metadata