sdd-archive
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes shell commands (e.g.,
test -d 'openspec/changes/<change-name>'and suggestsrm -rf 'openspec/changes/<change-name>') using the user-supplied<change-name>variable. If this input contains single quotes or other shell metacharacters (e.g.,name'; touch /tmp/pwned; '), it can lead to arbitrary command execution on the host system. - [DATA_EXFILTRATION]: The skill uses the
<change-name>input to resolve file system paths within theopenspec/directory. Without validation against path traversal sequences (such as../), a malicious user could potentially trick the skill into reading from or deleting files in sensitive locations outside the intended directory structure. - [PROMPT_INJECTION]: The skill functions as a data pipeline that merges external markdown content (delta specs) into the project's permanent master specification files. This presents an indirect prompt injection surface:
- Ingestion points: Files located in
openspec/changes/<change-name>/specs/and theverify-report.mdfile. - Boundary markers: Absent; the skill appends or replaces content directly into master files without delimiters or warnings for downstream agents.
- Capability inventory: The skill has the ability to write/delete files, execute shell commands, and invoke other agent skills (
memory-update). - Sanitization: None; the skill does not validate or sanitize the content of the delta specs before merging them into the permanent record.
Audit Metadata