openspec-change-closure
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The
scripts/archive_change.pyscript contains a path traversal vulnerability. Thechange_idinput is joined to theCHANGE_ROOTpath without validation or sanitization, which could allow the agent to access or manipulate directories outside the intended workspace. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted data. 1. Ingestion points: The skill reads markdown spec deltas from
openspec/changes/. 2. Boundary markers: There are no boundary markers or instructions provided to the agent to disregard instructions embedded in the specs. 3. Capability inventory: The skill allowsBash,Write, andGreptools, and the archival script performs filesystem writes. 4. Sanitization: There is no sanitization of the content of the spec files before they are merged into the living specifications.
Audit Metadata