kage
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a bash shim (
k) and Docker to execute security tools inside a containerized environment. This isolates command execution from the host but relies on the user having Docker access, which typically grants high privileges on the host system. - [EXTERNAL_DOWNLOADS]: During setup and image building, the skill fetches numerous packages and tools from public repositories (e.g., GitHub, Go, NodeSource). These are well-known sources, but the skill depends on their availability and integrity.
- [CREDENTIALS_UNSAFE]: The skill is designed to use sensitive tokens (e.g., GitHub, AgentMail) and target credentials provided in a
creds.mdfile. These are passed to scripts and tools within the sandbox to perform authenticated security scans. - [PROMPT_INJECTION]: The skill has a high exposure to indirect prompt injection due to its core function of analyzing untrusted target data:
- Ingestion points: Vulnerability scanners and testers read content from arbitrary URLs, JavaScript bundles, and source code directories (e.g., in
agents/vuln-scanner.mdandagents/client-side-tester.md). - Boundary markers: The
references/agent-constraints.mdfile instructs agents to truncate output bodies to 2 KB to prevent context pollution. - Capability inventory: Sub-agents can execute shell commands via the Docker shim, perform network requests, and write results to the local filesystem.
- Sanitization: Findings are filtered through a multi-stage process involving a 'Verifier' agent and a 'Judge' agent that applies a 4-gate validation framework (
references/judging.md) to distinguish between real vulnerabilities and noise. - [COMMAND_EXECUTION]: The installation guide suggests a manual
sudocommand to link thekshim to/usr/local/bin/kon the host machine for convenience.
Audit Metadata