kata-customize
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill executes bash scripts located in sibling directories outside of its own package (
../kata-execute-phase/scripts/resolve-template.shand../kata-doctor/scripts/check-template-drift.sh). This cross-directory execution pattern assumes a trusted environment and can be exploited if an attacker can place files in sibling paths.\n- [COMMAND_EXECUTION] (MEDIUM): Thelist-templates.shscript executes an embedded Node.js script using a heredoc to perform broad filesystem discovery and file reading.\n- [PROMPT_INJECTION] (LOW): The skill exhibits a surface for indirect prompt injection by processing untrusted data from external files.\n - Ingestion points: Reads markdown files from all sibling directories starting with 'kata-' via
fs.readFileSyncinlist-templates.sh.\n - Boundary markers: None; the skill does not use delimiters or instructions to ignore embedded commands in the templates it parses.\n
- Capability inventory: Executes local bash scripts and writes to the filesystem via the Edit tool.\n
- Sanitization: Employs only basic regex and a minimal custom YAML parser to extract data from markdown frontmatter.
Audit Metadata