speckit-baseline
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill executes a bash script (
create-new-feature.sh) using arguments (a 'short name') generated from the source code. Although the instructions suggest basic escaping for single quotes, the process is vulnerable to command injection if the analyzed code contains shell metacharacters that the agent extracts into the command line. - [COMMAND_EXECUTION] (MEDIUM): The skill relies on and executes scripts located in the
.specify/directory of the target project. This 'bring-your-own-script' pattern is dangerous when the agent is used on untrusted or compromised codebases, as it will execute these scripts with the agent's system permissions. - [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests untrusted source code to drive its logic. 1. Ingestion points: Source files and directory patterns (Step 2). 2. Boundary markers: Absent; the agent is not warned to ignore instructions within the code. 3. Capability inventory: Execution of local bash scripts and filesystem writes (Step 5, 9). 4. Sanitization: Minimal; limited to partial shell escaping.
- [SAFE] (INFO): The automated scanner alert regarding 'requirements.md' is a false positive. The scanner misidentified a local file path as a malicious URL; no actual external network connections or malicious URLs are present in the skill content.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata