openspec-change-proposal
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection due to how it processes external data. Ingestion points: Untrusted user input via
change_requestandimpact_surface. Boundary markers: None; there are no instructions or delimiters to isolate untrusted content from the agent's logic. Capability inventory: The skill has access toBash,Write,Read, andGreptools. Sanitization: No sanitization or validation of the input content is performed before processing. - COMMAND_EXECUTION (MEDIUM): The skill uses the
Bashtool to execute local scripts. Evidence: The process section explicitly invokesscripts/scaffold_change.py. While the script is intended to be local, execution of scripts with potentially user-influenced parameters (<change-id>) increases the attack surface for command injection.
Recommendations
- AI detected serious security threats
Audit Metadata