kata-add-milestone
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The file
references/github-mapping.mdconstructs GitHub CLI (gh) commands by interpolating variables like${PHASE_NAME},${PHASE_NUM}, and${MILESTONE_DESC}directly into the shell string. If these inputs contain shell metacharacters and the agent environment utilizes a shell for execution, it could result in arbitrary command execution. Evidence:gh issue create --title "Phase ${PHASE_NUM}: ${PHASE_NAME}" .... - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection because it reads and processes data from multiple user-influenced files such as
ROADMAP.mdandPROJECT.mdto determine its actions. - Ingestion points:
ROADMAP.md,PROJECT.md, and research files in.planning/research/. - Boundary markers: Absent.
- Capability inventory: Shell execution (
gh,git), file writing, and GitHub API access. - Sanitization: Minimal; while
--body-fileis used for issue bodies, other fields like titles are directly interpolated. - EXTERNAL_DOWNLOADS (MEDIUM): An automated scanner (URLite) identified a blacklisted URL within the
REQUIREMENTS.mdfile associated with this skill. While the content of that file was not provided for manual review, the detection indicates a confirmed risk in the project dependencies or documentation. - DATA_EXFILTRATION (LOW): The skill sends project metadata and descriptions to the GitHub API. While this is a core feature, it involves transmitting potentially sensitive planning information to external servers.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata