openspec-archive-change
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill interpolates the variable directly into shell commands without validation. * Evidence: Step 5 uses
mv openspec/changes/<name> ...and Step 2 usesopenspec status --change "<name>". * Risk: An attacker-controlled change name could include shell metacharacters (e.g.,;,|) to execute arbitrary commands or path traversal sequences to move system files. - [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8) due to its ingestion of untrusted data and high-privilege capabilities. * Ingestion points: The skill reads
tasks.md(Step 3) and output fromopenspec status --json(Step 2). * Boundary markers: Absent. There are no instructions to the agent to treat the content of these files as data only or to ignore embedded instructions. * Capability inventory: The skill has the capability to modify the file system (mkdir,mv) and execute CLI commands. * Sanitization: Absent. The skill does not specify any validation or escaping for the data read from files or external tool outputs. - [EXTERNAL_DOWNLOADS] (LOW): The skill depends on an external CLI tool that is not from a predefined trusted source. * Evidence: Compatibility metadata specifies 'Requires openspec CLI'. * Risk: The skill's functionality relies on the presence of an external tool whose integrity cannot be verified by the skill's code alone.
Recommendations
- AI detected serious security threats
Audit Metadata