kanban
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to how it processes user-controlled task data. Specifically,
implement/SKILL.mdextracts "Acceptance Criteria" from descriptions to create checklists, andbatch/kanban-planner.jsparses "Dependencies" to build execution graphs. A malicious task description could contain instructions that redirect the agent's behavior during these automated phases. - Ingestion points: Task descriptions are read and processed in
implement/SKILL.mdandbatch/kanban-planner.js(called frombatch/SKILL.md). - Boundary markers: None. The skill does not use delimiters or explicit "ignore" instructions to separate system logic from the untrusted content extracted from task fields.
- Capability inventory: The skill facilitates powerful operations including
git worktreecreation, execution of project-specific test suites vianpm run test, and CRUD operations via the local Kanban API. - Sanitization: Content extraction uses regular expressions (e.g.,
DEP_PATTERNSinkanban-planner.js), but the parsed values are directly incorporated into the agent's workflow without further validation or sanitization. - [COMMAND_EXECUTION]: The skill frequently executes shell commands to perform its core functions. It utilizes
git worktree addfor environment isolation,npm run testfor validation, andcurlfor API interactions. While these are necessary for the skill's operation, they represent a significant capability surface that could be abused if the agent's instructions are hijacked through indirect injection.
Audit Metadata