speckit-constitution
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill ingests untrusted user input (principles/amendments) and propagates them into multiple critical files including prompt templates, agent definitions, and other skills.
- Ingestion points: User-provided principles or amendments in conversation.
- Capability inventory: The workflow allows overwriting
.specify/memory/constitution.mdand modifying files in.claude/commands/,.github/prompts/,.github/agents/, andskills/speckit-*/SKILL.md. - Boundary markers: None. The instructions tell the agent to 'Replace every placeholder with concrete text' from user input.
- Sanitization: None. There are no checks to prevent a user from providing a principle that contains malicious instructions meant to hijack other agents or tools.
- Command Execution Risk (MEDIUM): While the skill doesn't execute shell commands directly, by modifying
SKILL.mdfiles and prompt/command definitions in the repository, it can alter the behavior of other tools that do execute code, effectively leading to persistent command injection.
Recommendations
- AI detected serious security threats
Audit Metadata