Skills
skills/kw12121212/auto-spec-driven/roadmap-milestone/Gen Agent Trust Hub

roadmap-milestone

Pass

Audited by Gen Agent Trust Hub on Apr 18, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local Node.js utility script for project initialization and roadmap validation.
  • Evidence: SKILL.md defines commands init and verify-roadmap which execute node {{SKILL_DIR}}/scripts/spec-driven.js.
  • [PROMPT_INJECTION]: The skill has an indirect prompt injection surface because it reads and processes data from external files that may be under the control of an attacker.
  • Ingestion points: Reads .spec-driven/config.yaml, .spec-driven/roadmap/INDEX.md, and various milestone markdown files from the project root.
  • Boundary markers: Absent; there are no instructions provided to the agent to treat the content of these files as untrusted data or to ignore embedded instructions.
  • Capability inventory: The skill can create/update markdown files and execute Node.js scripts via the command line.
  • Sanitization: No sanitization or validation logic is specified for the content extracted from the roadmap or configuration files.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 18, 2026, 03:29 PM