kata-whats-new

COMMAND_EXECUTION (SAFE): The skill uses the cat command to read the VERSION and CHANGELOG.md files from the $CLAUDE_PLUGIN_ROOT directory. This is standard behavior for a plugin to access its own metadata and is not considered a security risk.

EXTERNAL_DOWNLOADS (LOW): The skill fetches content from https://raw.githubusercontent.com/gannonh/kata/refs/heads/main/CHANGELOG.md. The GitHub user gannonh is not part of the trusted organizations list, making this an untrusted external source.

PROMPT_INJECTION (LOW): (Category 8: Indirect Prompt Injection) The skill is vulnerable to instructions embedded in the remote changelog file.

• Ingestion points: The fetch_remote_changelog step uses WebFetch to download the remote CHANGELOG.md file.
• Boundary markers: Absent. The prompt provided to WebFetch ("Extract all version entries...") does not include delimiters or instructions to ignore embedded commands.
• Capability inventory: The skill can perform local file reads (cat) and network reads (WebFetch), and has the capability to provide formatted responses to the user.
• Sanitization: Absent. There is no evidence of filtering or escaping the fetched content before it is processed by the agent.