specification-management
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Path Traversal vulnerability detected in the
spec.pyhelper script. - Evidence: The
create_specfunction inspec.pyuses thetemplateargument (provided via the--addflag) to construct file paths without sanitization:dest_file = spec_dir / f"{template}.md". Similarly, theget_template_pathfunction constructs a read path using the same variable. - Impact: This allows for directory traversal (e.g., using
../../) which could result in writing or overwriting files outside the intended specification directories, although restricted to the.mdextension. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes content from untrusted workspace files.
- Ingestion points: The skill reads metadata and document existence from files like
requirements.mdandsolution.mdwithin the.start/specs/directory via thespec.py --readcommand. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when the agent processes the output of the metadata script.
- Capability inventory: The agent can execute file system commands (via
spec.py) and transition through workflow phases based on the content it reads. - Sanitization: The script sanitizes the
feature_nameparameter using a regular expression but fails to sanitize thetemplateparameter, creating an exploitable path for injected instructions to perform unauthorized file operations.
Audit Metadata