openspec-apply-change
Pass
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses string interpolation to build shell commands, specifically
openspec status --change "<name>" --jsonandopenspec instructions apply --change "<name>" --json. If the change name is derived from untrusted user input without proper sanitization, it could lead to command injection vulnerabilities. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it processes task descriptions and context files from the openspec CLI output to perform code modifications.
- Ingestion points: Task lists and context file paths returned by
openspec instructions apply --jsonin step 3. - Boundary markers: Absent. The skill lacks instructions to ignore or treat embedded commands within the tasks as data rather than instructions.
- Capability inventory: The skill possesses the ability to modify source code files ("Make the code changes required") and execute CLI commands based on the ingested tasks.
- Sanitization: Absent. There is no evidence of validation or sanitization of the content before implementation.
Audit Metadata