sdd-ff
Warn
Audited by Gen Agent Trust Hub on Mar 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses a dynamic resolution algorithm for sub-agent definitions, prioritizing project-local files (
.claude/skills/andopenspec/config.yaml) over global configurations. In an untrusted project environment, an attacker could supply maliciousSKILL.mdfiles that the orchestrator will resolve and load. The orchestrator explicitly instructs the sub-agents to follow these external instructions exactly, allowing for full hijacking of the sub-agent's logic. - [PROMPT_INJECTION]: The 'Context extraction' logic creates a surface for indirect prompt injection by parsing user input and writing the results into a shared artifact.
- Ingestion points: The
$ARGUMENTSvariable containing the user's description (SKILL.md). - Boundary markers: None are applied to the extracted content when writing to the
proposal.mdskeleton (SKILL.md). - Capability inventory: Subsequent sub-agents (
propose,spec,design,tasks) have broad capabilities to read and modify project files, specifications, and design documents (SKILL.md). - Sanitization: No sanitization, escaping, or validation is performed on the extracted strings before they are interpolated into the proposal file (SKILL.md).
Audit Metadata