openspec-new-change
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill constructs and executes local shell commands such as
openspec new change "<name>"using a variable derived from user input. While the variable is double-quoted, malicious shell metacharacters could be injected if the AI fails to strictly adhere to the kebab-case naming instruction. - [PROMPT_INJECTION] (LOW): The skill presents an indirect prompt injection surface (Category 8) by processing untrusted user descriptions to generate command-line arguments. Evidence Chain: 1. Ingestion points: Step 1 collects user input via the
AskUserQuestiontool. 2. Boundary markers: The<name>variable is enclosed in double quotes within the shell command templates. 3. Capability inventory: The skill executes theopenspecCLI across multiple steps (3, 4, and 5). 4. Sanitization: The skill relies on the AI's logical capability to 'derive a kebab-case name' rather than a programmatic or hardcoded sanitization layer.
Audit Metadata