openspec-sdd

The OpenSpec spec-driven development skill as described is coherent with its stated purpose: it provides a structured workflow for exploring, proposing, implementing, and archiving spec-driven changes using a locally managed openspec/ directory and a globally installed OpenSpec CLI. The install path (npm registry) is a trusted source, and the primary data flow is local file I/O with standard package management, which is proportionate to its goals. There are no evident credential requirements or remote data flows that would constitute data exfiltration. While there is a non-trivial supply-chain vector via npm installation, it is a standard distribution risk rather than an error in design; it should be treated as a known risk (securityRisk low to moderate, depending on trust in the package source). Overall, the footprint is benign to mildly suspicious due to package dependency risk, but aligns with the described purpose when used as intended by a developer.