sdd-init
Pass
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface. It reads and parses untrusted files from the project root and user-level AI tool directories to generate configuration and registry artifacts.
- Ingestion points: The skill reads content from project-level files such as
package.json,go.mod,pyproject.toml,agents.md,CLAUDE.md, and.cursorrules. It also scans and readsSKILL.mdfiles from user-level directories like~/.claude/skills/and~/.cursor/skills/during the registry build phase (Step 4). - Boundary markers: Absent. The skill does not apply delimiters or provide instructions to the agent to ignore potentially malicious embedded commands within the files it ingests.
- Capability inventory: The skill has the capability to write to the local file system (creating the
openspec/directory structure and.atl/skill-registry.md) and persists data to the agent's memory backend via themem_savefunction (Step 5). - Sanitization: Absent. No explicit sanitization, validation, or escaping of the content read from external files is performed before it is interpolated into the generated SDD configuration or stored in memory.
Audit Metadata