speckit-implement
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes 'scripts/check-prerequisites.sh' and interacts with local CLI tools like git and docker to manage the project environment.
- [EXTERNAL_DOWNLOADS]: Setup instructions require the agent to initialize project dependencies, which involves downloading software packages from remote repositories based on the project's tech stack.
- [REMOTE_CODE_EXECUTION]: The bash script 'scripts/check-prerequisites.sh' uses 'eval' on the output of the 'get_feature_paths' function. This creates a command injection vulnerability because the function outputs variable assignments based on environment data (e.g., git branch names) without sufficient sanitization of single quotes, potentially allowing malicious branch names to execute arbitrary commands.
- [PROMPT_INJECTION]: The skill exhibits a surface for Indirect Prompt Injection. \n
- Ingestion points: Processes instructions from 'tasks.md', 'plan.md', and 'research.md'. \n
- Boundary markers: No specific delimiters or safety instructions are used to separate task data from agent commands. \n
- Capability inventory: The agent has permissions to write to the file system and execute shell commands to implement the feature. \n
- Sanitization: Content from implementation files is used directly without validation to drive the implementation phase.
Audit Metadata