openspec-apply-change
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
openspecCLI tool with several subcommands (list,status,instructions) to retrieve project state, change metadata, and implementation instructions. - [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection because it ingests and follows instructions found in external project files.
- Ingestion points: Reads content from files listed in the
contextFilesarray returned by theopenspec instructions applycommand (typically including proposal, specs, design, and tasks files). - Boundary markers: Absent. The skill does not use specific delimiters or instructions to ignore potentially malicious content within the context files.
- Capability inventory: The skill has file system read access, file system write access (to implement code changes and update task checkboxes), and the ability to execute the
openspecCLI. - Sanitization: Absent. There is no evidence of content validation or sanitization for the data retrieved from project artifacts before it is processed by the agent.
Audit Metadata