openspec-propose
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes multiple shell commands using the
openspecCLI to perform project actions. - Evidence: Commands such as
openspec new change,openspec status --json, andopenspec instructions --jsonare executed viabashto manage project state and retrieve data. - [PROMPT_INJECTION]: The skill contains potential surfaces for both direct and indirect prompt injection.
- Direct Injection Risk: A potential command injection vulnerability exists where the user's description is used to generate a name for the
openspec new change "<name>"command. The skill attempts to mitigate this by instructing the agent to derive a kebab-case name, which acts as basic sanitization. - Indirect Injection Risk: The skill ingests untrusted data from an external source (the
openspecCLI output). - Ingestion points: Data is fetched from
openspec instructions <artifact-id> --change "<name>" --jsoninSKILL.md. - Boundary markers: Absent; the instructions do not specify delimiters or warnings to ignore embedded instructions within the fetched JSON fields (
context,rules,instruction). - Capability inventory: The agent has the ability to execute
bashcommands and write to the file system. - Sanitization: Absent; the agent is explicitly told to apply the
contextandrulesfrom the JSON as constraints for its output.
Audit Metadata