spec-execution
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a workflow that reads and follows instructions from specs/*.md files, making it susceptible to indirect prompt injection.\n
- Ingestion points: Specification files (specs/*.md) read during planning and execution phases.\n
- Boundary markers: While tasks are scoped into sub-agents, the prompts for these agents are directly constructed from the untrusted specification content without enforced delimiters or specific warnings to ignore embedded instructions.\n
- Capability inventory: The skill possesses the ability to modify project files, execute git commands, and run shell-based tools like bun.\n
- Sanitization: There is no evidence of sanitization, validation, or structural checking of the specification content before it influences agent actions.\n- [COMMAND_EXECUTION]: The skill executes shell commands to verify changes made during the implementation of the specification.\n
- Evidence: Phase 3 includes the execution of bun run tsc --noEmit and bun test to verify code changes. If a malicious specification induces the agent to write harmful code or tests, these commands will execute that logic in the local environment.
Audit Metadata