openspec-writing-plans
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill exhibits a significant attack surface by reading untrusted data and using it to influence executable output.\n
- Ingestion points: The skill reads files such as
proposal.md,design.md, and directory contents fromopenspec/changes/<name>/.\n - Boundary markers: There are no markers or delimiters defined to separate untrusted project content from the agent's internal instructions.\n
- Capability inventory: The skill is designed to generate implementation plans containing shell commands (
git add,git commit) and complete code blocks for execution by a subagent.\n - Sanitization: No sanitization or validation of the ingested content is performed, allowing embedded instructions in design docs to hijack the plan generation process.\n- [Unverifiable Dependencies] (MEDIUM): The skill relies on an external CLI tool named
openspecwhich is not a standard system utility or from a predefined list of trusted sources.\n - Evidence: Multiple calls to
openspec listandopenspec statusassume the presence of this specific binary in the environment without verifying its provenance.
Recommendations
- AI detected serious security threats
Audit Metadata