Skills
skills/gannonh/kata-orchestrator/kata-check-issues/Gen Agent Trust Hub

kata-check-issues

Warn

Audited by Gen Agent Trust Hub on Apr 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill extensively utilizes shell commands to manage project state and files.
  • Evidence: Commands such as find, grep, awk, sed, mv, cp, and mkdir are used throughout SKILL.md to manipulate the .planning/ directory and its contents.
  • Evidence: The skill performs Git operations including git add, git rm, and git commit to persist changes to the issue tracking system.
  • [EXTERNAL_DOWNLOADS]: The skill fetches content from external sources to synchronize local state with remote issues.
  • Evidence: Uses the GitHub CLI (gh issue list, gh issue view) to retrieve issue metadata and body content from GitHub repositories.
  • [DATA_EXFILTRATION]: Local process transitions trigger the transmission of data to external services.
  • Evidence: Uses gh issue edit to add labels/assignees and gh issue close to post comments and close remote issues based on local actions.
  • [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection by processing untrusted data.
  • Ingestion points: Untrusted data enters the context via gh issue view (reading GitHub issue titles and bodies) and by reading local markdown files in .planning/issues/ that may have originated from GitHub.
  • Boundary markers: Absent. The skill does not implement delimiters or provide instructions to the agent to disregard instructions embedded within the fetched issue content.
  • Capability inventory: The skill has broad capabilities across all scripts in SKILL.md, including file writing (cat, mv, awk), local repository modification (git commit), and network write access via the GitHub CLI.
  • Sanitization: Absent. The data retrieved from GitHub (titles, bodies, labels) is interpolated directly into prompts and file writes without escaping or validation.
  • [REMOTE_CODE_EXECUTION]: The skill executes a local script whose content is not provided for verification.
  • Evidence: node scripts/kata-lib.cjs read-config is executed to retrieve configuration settings, making the skill dependent on the security of this local utility.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 10, 2026, 12:00 PM