openspec-implementation
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection because it reads and follows instructions contained in local specification files which could be manipulated by a malicious actor. \n
- Ingestion points: The skill reads content from
proposal.md,tasks.md, and various specification files within thespec/changes/{change-id}/directory. \n - Boundary markers: There are no delimiters or explicit warnings to the agent to ignore embedded instructions within these data files. \n
- Capability inventory: The skill has the capability to execute
npmscripts (allowing arbitrary code execution within the project context), perform network requests viacurl, and manipulate the filesystem viacat,find, andecho. \n - Sanitization: There is no logic to sanitize or validate the content of the files before processing them. \n- COMMAND_EXECUTION (LOW): The skill executes various shell commands related to software development (e.g.,
npm test,npm run db:migrate). While appropriate for a development tool, the use of the{change-id}variable in file paths without prior validation creates a path traversal risk, potentially allowing unauthorized file access if the input is not constrained.
Audit Metadata