kata-research-phase
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: CRITICALPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection surface detected in
SKILL.mdduring the context gathering phase. - Ingestion points: The skill reads
.planning/REQUIREMENTS.md,.planning/ROADMAP.md, and phase-specific context files. - Boundary markers: The skill uses basic XML-style tags (
<context>) and Markdown formatting to separate data, but lacks explicit 'ignore instructions' delimiters for untrusted data. - Capability inventory: Spawns a 'general-purpose' subagent (
kata-phase-researcher) which, based on the objective, utilizes tools like WebSearch and context queries. - Sanitization: No sanitization or escaping is performed on the data read from project files before it is injected into the subagent prompt.
- [EXTERNAL_DOWNLOADS] (LOW): Automated security scans (URLite) identified a blacklisted/malicious URL within the
.planning/REQUIREMENTS.mdfile. While the skill does not perform a direct network fetch of this URL, it processes the containing file as context, creating a risk that the agent or subagent may attempt to visit or interact with the malicious domain during the research phase. - [COMMAND_EXECUTION] (LOW): The skill utilizes local shell commands (
bash,grep,find,cat) to manage project state and configuration. - Evidence: Execution of a local configuration script via relative path
../kata-configure-settings/scripts/read-config.sh. - Risk: Commands are restricted to local file discovery and configuration reading, representing standard operational behavior for this skill's context.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata