openspec-apply-change
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill intentionally executes several shell commands (
openspec list,openspec status,openspec instructions) to interact with the local environment. These are scoped to the tool's primary purpose. - EXTERNAL_DOWNLOADS (MEDIUM): The skill has a mandatory dependency on the
openspecCLI. Since this CLI and its author are not part of the trusted organizations list, it represents an unverifiable external dependency that the user must install independently. - PROMPT_INJECTION (LOW): Indirect Prompt Injection Surface Detected.
- Ingestion points: The skill reads content from
contextFiles(e.g., proposal, specs, tasks) and processes 'Dynamic instructions' returned by the CLI. - Boundary markers: Absent. There are no explicit delimiters or instructions for the agent to ignore malicious commands embedded within the project files it reads.
- Capability inventory: The agent has the capability to write/modify local source code and execute CLI commands based on the data it ingests from these files.
- Sanitization: Absent. The skill does not specify any validation or sanitization for the instructions or file paths provided by the CLI output.
Audit Metadata