speckit-analyze
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local bash script at
.specify/scripts/bash/check-prerequisites.shduring initialization. This script is used to verify the project environment and locate necessary files before analysis begins. - [PROMPT_INJECTION]: The skill processes content from untrusted local markdown files (
spec.md,plan.md,tasks.md), which represents an indirect prompt injection surface. - Ingestion points: Reads
spec.md,plan.md, andtasks.mdfrom the project's feature directory. - Boundary markers: The skill does not implement explicit boundary markers or instructions to ignore embedded agent directives within the analyzed files.
- Capability inventory: The skill executes a local bash script at startup but is otherwise constrained to read-only operations.
- Sanitization: Content is parsed into semantic models for the purpose of generating a consistency report rather than being used to construct executable commands.
Audit Metadata