speckit-plan
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill triggers the execution of local shell scripts located within the repository:
.specify/scripts/bash/setup-plan.shand.specify/scripts/bash/update-agent-context.sh. These scripts are invoked from the repository root and are passed user-provided arguments, which the skill attempts to escape. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by ingesting and acting upon untrusted data from feature specifications and user arguments.
- Ingestion points: Technical context is loaded from
FEATURE_SPEC,.specify/memory/constitution.md, and user-provided$ARGUMENTS(SKILL.md). - Boundary markers: Absent; there are no delimiters or explicit instructions to the agent to disregard instructions embedded within the processed feature specifications.
- Capability inventory: The skill possesses the ability to execute bash scripts, write various documentation files to the filesystem (e.g.,
research.md,data-model.md), and dispatch additional research tasks (SKILL.md). - Sanitization: No evidence of validation or sanitization is present for the input data before it is used to define technical architecture and implementation phases.
Audit Metadata