openspec-update
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill directs the agent to perform a global installation of the package
@fission-ai/openspecfrom the npm registry. This source is not recognized as a trusted organization or well-known service in the security profile. - [COMMAND_EXECUTION]: The skill invokes the
openspec updatecommand, which is designed to regenerate and modify configuration files in the project's local directories, specifically targeting.claude/skills/and.cursor/rules/. - [REMOTE_CODE_EXECUTION]: The workflow combines the installation of third-party software with immediate execution of its binaries, creating a pathway for running unverifiable external code on the host system.
Audit Metadata