speckit-proc
Pass
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves untrusted content from GitHub issues (titles, bodies, and comments) and interpolates this data into the prompts used to drive the AI worker session without sufficient isolation. A malicious issue could potentially contain instructions that hijack the worker's behavior.\n
- Ingestion points: GitHub issue details are fetched in
stages/01-preflight/CONTEXT.mdusing theghtool.\n - Boundary markers: The prompt template in
stages/02-specify/CONTEXT.md(Process step 3) directly injects the pre-flight summary into the worker's context without using delimiters (like XML tags or triple quotes) or 'ignore embedded instructions' warnings.\n - Capability inventory: The worker session has extensive capabilities, including file system modifications and execution of project-specific tools, while the operator retains access to
BashandWritetools.\n - Sanitization: There is no evidence of sanitization, filtering, or validation of the fetched issue content before it is processed by the AI.\n- [COMMAND_EXECUTION]: The skill uses the
Bashtool for several high-privilege development tasks:\n - Execution of the GitHub CLI (
gh) to manage issues, labels, and pull requests.\n - Execution of local environment scripts (
scripts/spawn-worker.sh,scripts/wait-for-worker.sh) which manage the worker lifecycle.\n - Execution of arbitrary test suites identified in the repository configuration (e.g.,
package.json,Makefile) during the06-teststage. While these actions are aligned with the skill's purpose as a developer tool, they involve executing code from the repository being modified.
Audit Metadata