spec-driven-dev
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core logic depends on ingesting untrusted data from the local repository to determine its behavior and execution steps.
- Ingestion points: The skill reads
specs/README.mdfor project overrides (languages, templates, and auto-invocation commands) andspecs/*.mdfor task instructions. - Boundary markers: Absent. There are no mechanisms to distinguish between developer instructions and malicious content embedded in the specifications or configuration files.
- Capability inventory: The skill is granted
Bash,Write,Edit,Glob, andTasktools, providing it with significant control over the local system and repository. - Sanitization: Absent. The skill does not sanitize the content of the specs before using them to drive the
/spec.runexecution phase. - [Command Execution] (HIGH): The skill uses the
Bashtool to execute tasks defined in specifications. Because these specifications are stored as plain markdown files in the repository, a malicious actor could insert arbitrary shell commands into a spec file which the agent would then execute during the/spec.runphase. - [Data Exposure] (LOW): The skill uses a
geminiCLI tool (gemini -m gemini-3-pro-preview) to analyze specs. This involves sending potentially sensitive repository content to an external AI provider. While often intended behavior for AI agents, it represents a data outflow that users should be aware of. - [Unverifiable Dependencies] (LOW): The skill auto-invokes other language-specific skills (e.g.,
/python,/golang) based on file detection. While these are likely internal or trusted, the dynamic nature of this invocation based on repository content is a minor risk factor.
Recommendations
- AI detected serious security threats
Audit Metadata