openspec-onboard

The skill's stated purpose (teaching and guiding through an OpenSpec workflow with real codebase work) is consistent with its capabilities and artifacts. There are no concerning data flows, credential requests, or external network exfiltration patterns. The primary risk is minimal, centered on the potential for the OpenSpec CLI installation step to introduce a downloaded binary; however, in the provided content this is presented as a conditional, user-driven action with standard sourcing (CLI installation from official channels) rather than an embedded download. Overall, the skill is BENIGN with a low security risk given its confined, instructional scope and local artifact generation.