sdd-propose
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its primary data ingestion points. It accepts 'exploration analysis' or 'direct user description' and interpolates this content directly into the generated
proposal.mddocument and themem_savecommand. - Ingestion points: The skill explicitly processes 'direct user description' and 'Exploration analysis' from the
sdd-explorephase (SKILL.md). - Boundary markers: There are no explicit delimiters (e.g., XML tags or triple quotes) or 'ignore embedded instructions' warnings around the interpolated data in Step 4 or Step 5.
- Capability inventory: The skill possesses file-write capabilities (
openspec/changes/.../proposal.md) and memory persistence capabilities (mem_savetool), which could be abused if the input contains malicious instructions. - Sanitization: No evidence of input validation, sanitization, or escaping was found in the instructions.
- [COMMAND_EXECUTION]: The skill implements dynamic instruction loading based on runtime parameters.
- Evidence: Step 1 (SKILL.md) instructs the agent to 'Load it now' (the skill path) provided by the orchestrator in the launch prompt. If the orchestrator provides a path to an untrusted or attacker-controlled file, the agent may execute unintended instructions.
Audit Metadata