roadmap-propose
Pass
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill executes its own internal Node.js scripts (spec-driven.js) to initialize projects, scaffold new changes, and verify artifact formatting. These operations are conducted using standard local execution patterns.
- [DATA_EXFILTRATION]: The skill reads local project files, including .spec-driven/config.yaml and roadmap documentation, to gather context for scaffolding. No network activity or unauthorized data transmission was detected.
- [PROMPT_INJECTION]: The skill processes untrusted project data (milestone files and specifications) which constitutes an indirect prompt injection surface.
- Ingestion points: .spec-driven/config.yaml, .spec-driven/roadmap/INDEX.md, and milestone files containing planned changes.
- Boundary markers: No specific boundary markers or 'ignore' instructions are used when processing external project content.
- Capability inventory: Local file system read access and execution of internal Node.js scripts.
- Sanitization: There is no evidence of sanitization or validation of the data ingested from the project files before it is used to generate new artifacts.
Audit Metadata