spec-kitty-accept
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating untrusted data into an execution context.
- Ingestion points: The 'Discovery' section in SKILL.md gathers 'Feature slug' and 'Validation commands executed' from the user or the agent's context.
- Boundary markers: The execution plan uses double quotes (e.g., --feature "") to wrap arguments, but these can be bypassed by shell metacharacters if the input is not sanitized.
- Capability inventory: The skill has the capability to execute shell commands and external CLI tools via the spec-kitty wrapper (SKILL.md).
- Sanitization: There is no explicit sanitization or filtering of the user-supplied strings before they are assembled into the CLI command.
- [COMMAND_EXECUTION]: The skill facilitates the execution of local system commands and a third-party CLI tool with dynamic arguments.
- Evidence: The execution plan in SKILL.md runs git rev-parse --show-toplevel and spec-kitty agent feature accept.
- Risk: The dynamic assembly of the argument list using strings collected from the environment allows for potential command manipulation or unintended code execution if the agent does not correctly escape the resulting command string.
Audit Metadata