spec-driven-propose
Pass
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands, specifically
ls .spec-driven/to verify project initialization andnode {{SKILL_DIR}}/scripts/spec-driven.jsto scaffold and verify artifacts. - [COMMAND_EXECUTION]: The command
node {{SKILL_DIR}}/scripts/spec-driven.js propose <name>incorporates a user-provided string (<name>) directly into the shell execution. This presents a risk of command injection if the agent or the underlying execution environment does not adequately sanitize the input (e.g., if a user provides a name likemy-change; rm -rf /). - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection (Category 8) because it treats external project data as authoritative instructions.
- Ingestion points: The skill reads
.spec-driven/config.yamland all markdown files within.spec-driven/specs/to inform its generation logic. - Boundary markers: Absent. There are no delimiters or instructions provided to the agent to treat the content of these files as untrusted data or to ignore embedded instructions.
- Capability inventory: The skill possesses the capability to read project files, write new files to the filesystem, and execute shell commands.
- Sanitization: Absent. The skill explicitly instructs the agent to treat
ruleswithin the externalconfig.yamlas "binding constraints," which could be exploited by an attacker to override the agent's behavior via a malicious project configuration.
Audit Metadata