openspec-explore
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
openspec list --jsoncommand. This is used to retrieve technical context about the current project status and is an intended function of the associated vendor tool. - [PROMPT_INJECTION]: The skill demonstrates an indirect prompt injection surface through the following evidence chain:
- Ingestion points: Reads files across the codebase and OpenSpec artifacts (such as proposal.md and design.md) in the
openspec/changes/directory. - Boundary markers: No specific delimiters are identified to isolate untrusted file content from the agent's instructions.
- Capability inventory: The agent uses the
openspecCLI for metadata and has read access to the local filesystem, though it is explicitly restricted from performing write operations. - Sanitization: There is no evidence of content sanitization or validation of the data read from the codebase.
- Note: This surface is required for the skill's primary purpose. The risk of the agent being manipulated by malicious code comments is mitigated by the instruction: 'NEVER write code or implement features.'
Audit Metadata