The Agent Skills Directory

The skill openspec-bulk-archive-change describes a process for batch archiving changes using an external command-line interface, openspec. The primary security concern is the reliance on this openspec CLI tool.

Findings:

Unverifiable Dependencies (MEDIUM): The skill explicitly states compatibility: Requires openspec CLI. and instructs the agent to run commands like openspec list --json, openspec status --change "<name>" --json. The openspec CLI is an external dependency that is not provided or auditable within the skill's definition. Its behavior, security, and integrity cannot be verified by this analysis. If the openspec CLI itself were malicious or compromised, the skill would inherit those risks. This is a MEDIUM severity finding because the skill's core functionality depends on an unverified external executable.
Command Execution (INFO): The skill instructs the agent to execute shell commands such as mkdir -p openspec/changes/archive and mv openspec/changes/<name> openspec/changes/archive/YYYY-MM-DD-<name>. It also implicitly runs openspec commands. While these specific commands are benign in the context of the skill's stated purpose (archiving files within a project directory), the capability to execute arbitrary commands via an external CLI (openspec) introduces a potential attack surface if the openspec tool itself is compromised or misused.
Indirect Prompt Injection (INFO): The skill involves reading content from openspec/changes/<name>/tasks.md, openspec/changes/<name>/specs/ directories, and generally 'searching the codebase for implementation evidence'. If these files or the codebase itself contain malicious instructions or data, there's a risk of indirect prompt injection, where the AI might be influenced by untrusted external content it processes. This is a general risk for skills that interact with user-provided or external data.

No other critical threats were identified:

No explicit prompt injection attempts (e.g., IMPORTANT: Ignore previous instructions). The use of IMPORTANT is for internal skill logic.
No direct data exfiltration of sensitive system files (e.g., ~/.aws/credentials, ~/.ssh/id_rsa) or network calls to non-whitelisted domains are present.
No obfuscation techniques were detected in the skill's markdown.
No privilege escalation attempts (e.g., sudo, chmod 777 on system files) were found.
No persistence mechanisms (e.g., modifying .bashrc, creating cron jobs) were identified.
No metadata poisoning was found in the skill's metadata fields.
No time-delayed or conditional attacks were detected.

Conclusion: The skill's primary risk stems from its reliance on an unverified external openspec CLI tool. While the skill's own instructions appear to be well-intentioned and focused on its stated purpose, the security of the overall operation is dependent on the security and integrity of the openspec executable.