spec-kitty-review
Pass
Audited by Gen Agent Trust Hub on Apr 3, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill facilitates indirect prompt injection by directing the agent to read and execute instructions located at the end of a long 'work package prompt' generated by a command. If the work package content is controlled by a malicious actor, it could override the agent's behavior.\n
- Ingestion points: The output of the
spec-kitty agent workflow reviewcommand.\n - Boundary markers: Absent. The skill instructions explicitly tell the agent to 'scroll to the BOTTOM to see the completion commands', which encourages following instructions from untrusted data.\n
- Capability inventory: The agent has access to shell execution for
gitcommands, thespec-kittyCLI tool, and local Python scripts (e.g.,.kittify/scripts/tasks/tasks_cli.py).\n - Sanitization: No sanitization or validation of the work package content is mentioned.\n- [COMMAND_EXECUTION]: The skill relies on the execution of multiple shell commands and local Python scripts to manage project tasks and transitions.\n
- Evidence: The skill uses
spec-kitty agent workflow review $ARGUMENTS,spec-kitty agent tasks move-task, andpython3 .kittify/scripts/tasks/tasks_cli.pyto automate the review process.\n - The
$ARGUMENTSplaceholder and the requirement to use a temporary file path provided within the external work package prompt create potential surfaces for command injection if the agent uses unsanitized input from the task data.
Audit Metadata