openspec-executing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads instructions from external plan files (openspec/changes//plan.md) and is explicitly told to 'Follow each step exactly'. This pattern is highly susceptible to adversarial instructions that could lead to unauthorized command execution or data modification. (1) Ingestion points: The file openspec/changes//plan.md is read via cat. (2) Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands. (3) Capability inventory: High, as the agent is expected to execute the tasks defined in the plan. (4) Sanitization: Absent; the content is followed directly without validation.
- Command Execution (LOW): The skill utilizes local shell commands including openspec, cat, and ls to perform its operations. While these are necessary for the skill's functionality, they provide the execution environment for any instructions retrieved from the plan files.
Recommendations
- AI detected serious security threats
Audit Metadata