spec-driven
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill coordinates a multi-step workflow where user-supplied feature descriptions and feedback are passed directly to subagents. If the user input contains malicious instructions, the subagents might execute them.
- Ingestion points: Phase 1 (feature description) and all Approval Gates (user feedback) defined in SKILL.md.
- Boundary markers: None. There are no instructions to the subagents to ignore instructions embedded in the user input.
- Capability inventory: Subagents have the ability to write files (requirements.md, design.md, tasks.md) and, in the case of the implementation agent, use MCP servers to interact with GitHub, Jira, and Figma.
- Sanitization: None. User input is passed as-is to the launch commands.
- [EXTERNAL_DOWNLOADS] (SAFE): The automated scanner alert regarding requirements.md appears to be a false positive. Analysis of SKILL.md confirms that requirements.md is used exclusively as a local filename for documentation storage. No actual URL or remote download mechanism was found.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata