speckit-tasks
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill executes a local shell script located at
.specify/scripts/bash/check-prerequisites.shduring the setup phase. - Evidence: Workflow step 1 explicitly instructs the agent to run this script from the repository root.
- Risk: Execution of workspace-provided scripts can lead to arbitrary code execution if the repository content or the script itself is untrusted or modified by an attacker.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) by ingesting external specification documents to drive its core logic.
- Ingestion points: Reads multiple external files including
plan.md,spec.md,data-model.md, andresearch.mdfrom theFEATURE_DIR(Workflow Steps 2 and 3). - Boundary markers: Absent. There are no delimiters or explicit instructions provided to the agent to disregard embedded commands within these external files.
- Capability inventory: The skill has the capability to execute shell scripts and write the generated
tasks.mdfile to the file system. - Sanitization: Absent. The skill extracts information directly from these documents to populate a task list that is intended to be 'immediately executable' by an LLM.
- Risk: An attacker could embed malicious instructions in a feature specification file that the agent then translates into actionable tasks. Since these tasks are designed to be executed by subsequent skills (like
speckit-implement), this creates a path for multi-step exploitation.
Recommendations
- AI detected serious security threats
Audit Metadata