speckit-review
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes bash scripts found in the
.specify/scripts/bash/directory of the repository being reviewed. This allows local repository content to control the agent's shell environment and execution flow. - [REMOTE_CODE_EXECUTION]: Invokes standard test runners (
npm test,pytest,cargo test,go test,./gradlew test) which execute arbitrary code defined in the project's configuration and test suites. If the repository is untrusted, this results in code execution within the agent's environment. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it processes untrusted data from the repository.
- Ingestion points: Reads
spec.md,plan.md,tasks.md,git diffoutput, and project source code. - Boundary markers: Absent; there are no instructions or delimiters provided to the agent to distinguish reviewed content from its own instructions.
- Capability inventory: Capability to execute shell scripts and various language-specific test runners.
- Sanitization: None; the skill does not validate or filter the content of the files read from the repository.
- [PROMPT_INJECTION]: Direct user input from the
$ARGUMENTSvariable is included in the agent's instructions without sanitization, providing a surface for direct instruction override. - [DATA_EXFILTRATION]: Accesses potentially sensitive project files, including implementation plans and specifications. While no external network exfiltration is explicitly coded, the data is ingested into the LLM context.
- [EXTERNAL_DOWNLOADS]: Automated test runners may fetch external dependencies from public registries (e.g., npmjs.org or PyPI) during the review process.
Audit Metadata