speckit-taskstoissues
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The script
scripts/check-prerequisites.shexecuteseval $(get_feature_paths). Theget_feature_pathsfunction inscripts/common.shpopulates its output using the current Git branch name or theSPECIFY_FEATUREenvironment variable. If an attacker can control the branch name (e.g., through a malicious repository or PR), they can inject arbitrary shell commands (e.g.,branch-name';id;') that will be executed with the user's privileges when the skill is run. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection because it reads the contents of
tasks.mdand passes them to a GitHub MCP server to create issues. Malicious instructions insidetasks.mdcould manipulate the agent into creating unauthorized or harmful repository content. Ingestion points:tasks.mdviascripts/check-prerequisites.sh. Boundary markers: None. Capability inventory: GitHub MCP server issue creation, local shell execution. Sanitization: None detected.
Audit Metadata