Spec Kitty Workflow
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill extensively constructs and executes shell commands using placeholders such as
<FEATURE-SLUG>,<WP-ID>, and<AGENT-NAME>. In several instances (e.g., Step 1b, Step 4f, and Step 6), these placeholders are not enclosed in quotes, creating a significant surface for command injection if the variables are populated from untrusted inputs like branch names or user-provided slugs. - [COMMAND_EXECUTION]: The skill performs file system cleanup using
rm -f .kittify/workspaces/<SLUG>-WP*.jsonin Step 4f. The use of unquoted wildcards with variables allows for potential path traversal or unintended file deletion if the<SLUG>variable is manipulated. - [PROMPT_INJECTION]: The skill uses rigid, imperative language (e.g., "YOU MUST", "PROTOCOL VIOLATION", "STRICTLY FORBIDDEN") to enforce a specific workflow. While intended for process integrity, such instructions can be used to override an agent's standard safety guidelines or operational constraints.
- [DATA_EXFILTRATION]: The workflow includes commands to push code and branches to a remote repository via
git push origin. While standard for development, this involves transmitting project data to external servers, and users must ensure the 'origin' remote is a trusted destination. - [COMMAND_EXECUTION]: The skill executes a custom local Python script (
.kittify/scripts/tasks/tasks_cli.py) and a custom CLI tool (spec-kitty). These represent the execution of local code whose safety depends on the integrity of the project's internal tools.
Audit Metadata