openspec
Pass
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes artifact files which are user-controlled. This could lead the agent to follow malicious instructions embedded within specifications. \n
- Ingestion points: The agent reads and interprets contents from files such as
specs/**/*.md,proposal.md, anddesign.mdto determine workflow state and generate next steps.\n - Boundary markers: No specific delimiters or "ignore" instructions are provided to the agent when it reads these artifact files.\n
- Capability inventory: The skill allows the agent to create new files, modify existing artifacts, and execute
openspecCLI commands.\n - Sanitization: No sanitization or validation of the text within these artifacts is mentioned before the agent uses the content to guide its actions.\n- [COMMAND_EXECUTION]: The skill provides instructions for using the
openspecCLI tool to perform project initialization, updates, and workflow management. These commands interact with the local filesystem and integrate with external AI tool directories (e.g.,.claude/skills,.cursor/,.pi/skills/,.kiro/skills/).\n- [EXTERNAL_DOWNLOADS]: The skill references theopenspecpackage on npm and the official source code on GitHub for documentation and releases. These are recognized as standard project resources.
Audit Metadata