The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The workflow requires the agent to read templates (e.g., .specify/templates/commands/specify.md) and execute scripts described within them. This allows an attacker who can modify these files to run arbitrary commands in the agent's environment.\n- REMOTE_CODE_EXECUTION (HIGH): The skill explicitly executes bash scripts from the workspace, such as .specify/scripts/bash/check-prerequisites.sh. Since these scripts are part of the repository, their execution is equivalent to RCE if the repository content is not verified.\n- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection as its logic is driven by markdown files and templates in the workspace (.specify/templates/, .specify/memory/constitution.md). 1) Ingestion points: Repository templates and spec files. 2) Boundary markers: Absent. 3) Capability inventory: Subprocess execution, file modification, and search (ripgrep). 4) Sanitization: Absent.\n- COMMAND_EXECUTION (LOW): Uses rg (ripgrep) to search for specifications. While the path is somewhat restricted, it remains an external process call that could be abused if patterns are not properly escaped.

requirements-spec-kit