kanban-markdown
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to read and process markdown files from the
.devtool/features/directory, which could contain malicious instructions if the files are from an untrusted source. - Ingestion points: The AI is instructed to 'read board state' by scanning all files in the features directory (
SKILL.md). - Boundary markers: The skill relies on YAML frontmatter (
---) as a structural boundary, but does not include explicit instructions to ignore natural language commands embedded in the markdown body. - Capability inventory: The skill's impact is limited to reading, writing, and moving files within the specific features directory. It has no network or shell execution capabilities.
- Sanitization: There is no evidence of sanitization or filtering for potentially malicious instructions within the feature files.
- No Executable Code (SAFE): The skill consists entirely of markdown instructions and does not include any scripts, binaries, or automated installation hooks that execute code on the host system.
Audit Metadata