openspec-archive
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to move directories based on a user-provided change-id. Direct inclusion of this argument in shell commands without prior validation or sanitization could allow for directory traversal or unintended command execution.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes content from external files that may be provided by untrusted sources.
- Ingestion points: File content retrieved from
openspec/changes/<id>/tasks.mdand various specification delta files. - Boundary markers: The instructions lack explicit delimiters or 'ignore embedded instructions' warnings for the data being read.
- Capability inventory: The agent has access to powerful tools including
Bash,Write, andEditwhich could be misused if malicious instructions in the files are followed. - Sanitization: No logic for sanitizing, escaping, or validating the content of the ingested files is specified before the agent acts upon the data.
Audit Metadata