Skills
skills/pbh-btn/peerbanhelper/openspec-apply-change/Gen Agent Trust Hub

openspec-apply-change

Fail

Audited by Gen Agent Trust Hub on Feb 13, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis

================================================================================

🔴 VERDICT: HIGH

This skill presents a HIGH security risk primarily due to its reliance on an unverified external command-line interface (openspec CLI) and the instructions to read files whose paths are determined by this external tool. This creates significant vectors for data exfiltration and arbitrary command execution.

Total Findings: 4

🔴 HIGH Findings: • Data Exfiltration

  • Line 44: The skill explicitly instructs the AI to "Read the files listed in contextFiles from the apply instructions output." The contextFiles are provided by the openspec instructions apply --change "<name>" --json command. If the openspec CLI is malicious or compromised, it could return paths to sensitive files (e.g., ~/.ssh/id_rsa, /etc/passwd, .env files) in its contextFiles output. The AI would then be instructed to read these files, making their content accessible to the LLM and potentially to an attacker via subsequent prompts or actions. • Command Execution
  • Line 28: The skill executes multiple openspec commands (e.g., openspec list --json, openspec status --change "<name>" --json, openspec instructions apply --change "<name>" --json). Since openspec is an unverified external dependency, its execution poses a command execution risk. A malicious openspec CLI could perform arbitrary actions on the system. Additionally, the instruction "Make the code changes required" implies the AI will be performing file write operations, which could be abused if the openspec CLI or the "tasks file" content is malicious.

🟡 MEDIUM Findings: • Unverifiable Dependency

  • Line 4: The skill explicitly states compatibility: Requires openspec CLI.. The openspec CLI is an external dependency that is not part of the trusted sources list. The behavior of this CLI cannot be verified from the provided skill description, making it a black box. This finding contributes to the overall HIGH risk when combined with the command execution and data exfiltration risks.

🔵 LOW Findings: • None

ℹ️ TRUSTED SOURCE References: • None

================================================================================

Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 13, 2026, 01:47 AM