sdd-archive
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting and processing untrusted data from multiple project artifacts.
- Ingestion points: Artifacts such as the change proposal, spec, design, tasks, and verification report are retrieved via
mem_get_observationinSKILL.md. - Boundary markers: No specific delimiters or instructions are used to isolate untrusted artifact content from the agent's logic.
- Capability inventory: The skill possesses capabilities to modify the main project specifications (filesystem merge) and update the internal memory store via
mem_save. - Sanitization: Content is merged based on markdown header matching without explicit filtering or sanitization of potential instructions embedded in the artifacts.
- [SAFE]: Filesystem operations (move, copy, read, write) are appropriately scoped to project-specific directories (e.g.,
openspec/changes,openspec/specs) and do not attempt to access sensitive system paths. - [SAFE]: No hardcoded credentials, obfuscated commands, or remote script executions were identified in the skill logic.
- [SAFE]: All external resource references (e.g.,
engram,openspec) are consistent with the vendor's established conventions.
Audit Metadata