sdd-apply
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill identifies and executes test commands from project files such as package.json, pyproject.toml, and openspec/config.yaml. This allows the agent to run arbitrary shell commands defined in the project's configuration, which could lead to code execution if the project is untrusted.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes and obeys instructions from external artifacts like tasks.md, spec, and design documents to perform code implementation. There are no boundary markers or instructions to sanitize these inputs against embedded malicious prompts.
- Ingestion points: The skill reads tasks.md, spec, and design files in Step 2 and Step 3.
- Boundary markers: None. The skill lacks instructions to distinguish between data and embedded commands within these files.
- Capability inventory: The skill can write code to the filesystem, modify existing files, execute shell commands, and interact with project memory via mem_save and mem_update.
- Sanitization: No sanitization or validation of the content from specifications is mentioned.
- [REMOTE_CODE_EXECUTION]: The skill features a dynamic logic loading capability in Step 1, where it loads additional skills from a path provided in the launch prompt. This allows for the execution of unverified logic if the provided path is not strictly validated.
Audit Metadata