Skills
skills/hotriluan/alkana-dashboard/plans-kanban/Gen Agent Trust Hub

plans-kanban

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill depends on the external npm package gray-matter (version 4.0.3) for parsing frontmatter in plan files, as documented in package.json and SKILL.md.
  • [DATA_EXFILTRATION]: The HTTP server implementation in scripts/lib/http-server.cjs exposes a /file/ endpoint that serves local files. While the isPathSafe function attempts to prevent path traversal, the server allows access to any file within the current working directory (cwd) and the plansDir. The SKILL.md instructions explicitly suggest binding the server to 0.0.0.0 for remote access, which would make all files in the workspace accessible to any device on the local network.
  • [COMMAND_EXECUTION]: In scripts/lib/http-server.cjs, the server attempts to dynamically load modules from a sibling directory (../../../markdown-novel-viewer) using computed paths in require() calls. This pattern is used to integrate with another skill but introduces a risk of loading and executing code from arbitrary locations if the directory structure is manipulated.
  • [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection via a Cross-Site Scripting (XSS) flaw in the dashboard. The renderDashboard function in scripts/lib/dashboard-renderer.cjs injects the plan data into a <script> tag using JSON.stringify without escaping HTML script terminators like </script>. A maliciously crafted plan.md file with a title or description containing </script> could execute arbitrary JavaScript in the user's browser.
  • Ingestion points: plan.md files discovered and parsed by scripts/lib/plan-scanner.cjs and scripts/lib/plan-parser.cjs.
  • Boundary markers: Absent; untrusted data from files is directly interpolated into HTML templates and script blocks.
  • Capability inventory: The skill possesses the capability to read any file in the workspace, serve files over HTTP, and render a dynamic web dashboard.
  • Sanitization: While basic HTML escaping is used for some display elements, the JSON data injection into the client-side script is not properly sanitized for the script context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 03:17 AM