spec-kit-checklist
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill executes a script via a relative path traversal (../../spec-kit/scripts/check-prerequisites.sh). This practice bypasses the skill's directory boundaries and executes code from the parent environment, which may pose a risk if the surrounding directory structure contains unauthorized or malicious scripts.
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and processes content from user-editable files (spec.md, plan.md, tasks.md).
- Ingestion points: Untrusted data enters the agent context through the loading of spec.md, plan.md, and tasks.md in Step 2 of the workflow.
- Boundary markers: There are no explicit boundary markers or delimiters mentioned in the instructions to separate user content from system instructions, nor are there warnings for the LLM to ignore embedded instructions within these files.
- Capability inventory: The skill has the capability to execute shell scripts (Step 1) and perform file system write operations to create new markdown checklists (Step 4 and 7).
- Sanitization: The workflow lacks a sanitization or validation step to filter or escape potentially malicious instructions embedded in the requirements artifacts before they are used to generate the checklist items.
Audit Metadata