speckit-refactor
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local bash script located at
.specify/scripts/bash/create-refactor.sh. It passes user-provided input directly to this script using the--jsonflag. While this is a core part of the refactoring tool's functionality, it involves executing command-line logic based on external arguments. - [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection. It ingests user-provided refactoring descriptions and writes them into multiple files, such as the refactor specification and behavioral snapshots. These files are subsequently used to guide the agent's planning and implementation phases, meaning malicious instructions embedded in the initial input could influence later actions.
- Ingestion points: User input provided via the
$ARGUMENTSvariable inSKILL.md. - Boundary markers: No delimiters or instructions to ignore embedded commands are used when interpolating user input.
- Capability inventory: The skill performs shell script execution and file write operations across its workflow.
- Sanitization: There is no evidence of input validation or sanitization before the user input is processed or stored in the project's specification files.
Audit Metadata