openspec-to-beads
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates shell commands for the 'beads' (bd) CLI using data parsed from local markdown files. The templates in
templates/issue-creation.mdinterpolate<task-description>and<gap-description>directly into shell strings without evident sanitization. This could lead to command injection if a task description inopenspec/changes/<change>/tasks.mdcontains shell metacharacters. - [PROMPT_INJECTION]: Indirect Prompt Injection: The skill processes untrusted data from project files to drive its execution logic, creating a surface where malicious instructions in a spec could influence agent actions.
- Ingestion points: Files located in
openspec/changes/<change>/, includingproposal.md,tasks.md, andspec.md(referenced inSKILL.mdStep 1). - Boundary markers: None identified; the agent is instructed to read and understand the content directly.
- Capability inventory: The skill has the ability to execute CLI commands (
bd create,bd dep add) which modifies the project's tracking state. - Sanitization: No sanitization or validation of the content parsed from markdown files is performed before it is used in command templates.
Audit Metadata