openspec-apply-change
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes the openspec CLI (list, status, instructions) to manage task state and retrieve implementation context. This is the primary mechanism for the skill's operation and is consistent with its stated purpose.- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from the local environment to drive its implementation actions.
- Ingestion points: Data is ingested from the JSON output of the openspec CLI and the contents of various project files (e.g., tasks, specs, design documents).
- Boundary markers: There are no explicit delimiters or instructions to the agent to ignore potentially malicious instructions embedded within the context files.
- Capability inventory: The skill has the capability to modify the local filesystem by implementing code changes and updating task statuses.
- Sanitization: The skill lacks sanitization or verification logic for the instructions extracted from the context files before they are used to generate and apply code changes.
Audit Metadata