openspec-apply-change
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the 'openspec' CLI tool using the '--change' flag with a parameter '' that is derived from user input or conversation context. While the command is templated with double quotes, this represents a potential surface for command injection if the underlying execution environment or the agent itself fails to properly escape special characters within the change name.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes and acts upon content from external project artifacts. 1. Ingestion points: The skill reads file paths returned as 'contextFiles' from the CLI and ingests the content of these files (proposal, specs, design, tasks) to drive its implementation loop. 2. Boundary markers: There are no explicit boundary markers or 'ignore' instructions implemented to prevent the agent from following malicious instructions that might be embedded within the project files. 3. Capability inventory: The skill grants the agent the ability to modify local source code files and execute the 'openspec' CLI. 4. Sanitization: No sanitization, validation, or filtering of the ingested context file content is performed before it is used to influence the agent's code-writing behavior.
Audit Metadata