spec-kit-implement
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The files
scripts/check-prerequisites.shandscripts/common.shconsist solely of relative path traversal strings (../../spec-kit/scripts/...). TheSKILL.mdinstructions direct the agent to execute these files as scripts. This pattern is an attempt to escape the skill's directory and execute code from a parent location on the host system, which is a significant security risk in sandboxed environments.\n- PROMPT_INJECTION (LOW): The skill is designed to ingest and execute logic fromtasks.mdandplan.mdwithout any boundary markers or sanitization. This creates a surface for indirect prompt injection where an attacker could embed malicious instructions in these files that the agent would then follow.\n - Ingestion points:
tasks.md,plan.md, and thechecklists/directory referenced in the workflow.\n - Boundary markers: None; the skill treats the contents of these files as an 'execution plan' and 'execution truth'.\n
- Capability inventory: The agent can modify files (marking tasks as complete) and execute shell commands via the prerequisite script.\n
- Sanitization: No validation or sanitization of task content is mentioned before execution.\n- EXTERNAL_DOWNLOADS (LOW): The skill contains a reference to a GitHub repository (
github/spec-kit) that is not part of the Trusted External Sources list. While this is currently a documentation link, the script structure indicates a hard dependency on this external, untrusted project being present on the local filesystem.
Audit Metadata