The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill extracts content from untrusted external files (specs/**/spec.md) and interpolates it into generated files that define executable behavior. Specifically, it pulls Verify Command strings from scenario test obligations and writes them into tasks.md. An attacker can craft a malicious specification that includes dangerous shell commands (e.g., data exfiltration or system modification) in these fields. Ingestion points: proposal.md and specs/**/spec.md. Boundary markers: None present; the skill blindly trusts the content of the specifications. Capability inventory: Executes the openspec CLI and performs file write operations (design.md, tasks.md). Sanitization: None; the skill does not validate or escape the extracted command strings before outputting them.
[Command Execution] (MEDIUM): The skill performs multiple subprocess calls to the openspec CLI tool. It uses the output of these commands to determine file write paths (outputPath). If the CLI tool is compromised or its input (change name) is manipulated to return a malicious path, the agent could be tricked into overwriting sensitive system files.

superspec-plan