The Agent Skills Directory

COMMAND_EXECUTION (MEDIUM): The skill performs extensive shell operations including directory traversal (find), directory creation (mkdir), and version control (git commit).
Evidence: The script in Step 4 uses find and subshells to identify phase directories. If directory names are manipulated by an attacker to include shell metacharacters, it could lead to command injection when variables like {NN} or {name} are interpolated into shell commands in Step 7 and 8.
UNVERIFIABLE DEPENDENCIES (MEDIUM): The skill relies on executing bash scripts from relative paths outside its own directory.
Evidence: Calls to bash "../kata-doctor/scripts/check-roadmap-format.sh" and bash "../kata-configure-settings/scripts/read-config.sh". The integrity of these scripts cannot be guaranteed as they are external to the skill package.
INDIRECT PROMPT INJECTION (LOW): The skill ingests untrusted data from .planning/REQUIREMENTS.md and .planning/MILESTONE-AUDIT.md to drive its logic.
Evidence (Ingestion): Step 1 and 2 explicitly read and parse YAML frontmatter from project files.
Evidence (Sanitization): There is no evidence of sanitization or escaping for the data extracted from these files before it is used in the UI output or commit messages.
Evidence (Capability): The skill has the capability to modify the file system and commit changes to the repository, which could be abused if the input data triggers a malicious planning sequence.
EXTERNAL_DOWNLOADS (LOW): Automated scanner 'URLite' flagged a malicious URL detection within REQUIREMENTS.md.
Evidence: Scanner report: REQUIREMENTS.md (URL:Blacklist|UR4EFAFDCAD26E3E52-0200|urlb). Since the skill's primary function is to read this file, it directly handles potentially malicious content.

kata-plan-milestone-gaps