kamal-deploy
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill mandates using the
WebFetchtool to retrieve documentation fromkamal-deploy.orgbefore answering any user query. This is a severe Indirect Prompt Injection (Category 8) vulnerability.\n - Ingestion points: Mandatory
WebFetchcalls to external URLs in the 'Step 1' section ofSKILL.md.\n - Boundary markers: Absent. The skill explicitly instructs the agent to treat fetched content as the primary source of truth, stating that local docs may be 'outdated'.\n
- Capability inventory: The skill allows the agent to manage SSH keys (
~/.ssh/id_rsa), handle production secrets (.kamal/secrets), and execute deployment commands (kamal deploy).\n - Sanitization: None. The agent is not instructed to validate or ignore instructions embedded within the fetched documentation content.\n- [CREDENTIALS_UNSAFE] (HIGH): The skill guides the user to manage and store highly sensitive credentials, including
RAILS_MASTER_KEY,DATABASE_URL, andKAMAL_REGISTRY_PASSWORDwithin the.kamal/secretsfile. While standard for the tool, the interaction with unverified external fetches makes these secrets prime targets for exfiltration.\n- [COMMAND_EXECUTION] (MEDIUM): The skill encourages the installation of software (gem install kamal) and the execution of complex deployment workflows on remote servers, which could be subverted if the agent's logic is influenced by malicious external documentation.\n- [EXTERNAL_DOWNLOADS] (LOW): The skill downloads content fromkamal-deploy.orgusingWebFetch. While the source is the official tool site, it is not within the defined 'Trusted External Sources' scope, and the nature of the fetch (mandatory before every turn) creates a persistent exposure window.
Recommendations
- AI detected serious security threats
Audit Metadata