spec-driven-init
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a Node.js script
spec-driven.js. The mapping for the scripts directory is defined as../../dist/scripts, which is a relative path pointing outside the skill's directory. This allows the execution of code from an external location on the host system that is not contained within the skill's own package, potentially leading to the execution of unintended or malicious code.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it instructs the agent to read arbitrary project files (e.g.,README.md,package.json,AGENTS.md) and summarize their content into a project context field. Malicious instructions embedded in these external files could influence the agent's behavior during the initialization process or in subsequent steps.\n - Ingestion points: Project documentation and configuration files (e.g.,
README.md,package.json,pom.xml,CLAUDE.md).\n - Boundary markers: Absent; the agent is not instructed to isolate the ingested data or ignore instructions contained within it.\n
- Capability inventory: Local file system read/write access and shell command execution (
node).\n - Sanitization: Absent; no validation or filtering is applied to the content extracted from external project files.
Audit Metadata