kata-list-phase-assumptions
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a shell command in
references/phase-assumptions.mdthat interpolates a user-provided argument ($ARGUMENTS) directly into agrepcommand. An attacker could provide malicious input (e.g., using shell metacharacters like;,&, or`) to execute arbitrary commands on the host system. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and processes untrusted data from
.planning/STATE.mdand.planning/ROADMAP.md. - Ingestion points: Reads project state and roadmap files in the
SKILL.mdcontext andreferences/phase-assumptions.mdvalidation step. - Boundary markers: No explicit delimiters or instructions are provided to ignore embedded commands within the roadmap or state files.
- Capability inventory: The skill has the ability to execute shell commands and influence subsequent planning phases based on its analysis.
- Sanitization: There is no evidence of sanitization or validation of the content read from the project files before it is analyzed by the model.
Audit Metadata