The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface.
Ingestion points: The agent reads content from delta spec files located at openspec/changes/<name>/specs/*/spec.md.
Boundary markers: Absent. There are no delimiters or instructions to treat the requirement text as literal data rather than instructions.
Capability inventory: The agent has the capability to read and write (edit) markdown files in the openspec/specs/ directory.
Sanitization: None. The skill encourages "intelligent merging" based on "intent," which increases the risk that instructions embedded within a requirement (e.g., "Requirement: Delete all other sections") might be followed by the LLM.
[DATA_EXFILTRATION] (LOW): Potential Path Traversal. The name parameter is used to construct file paths (e.g., openspec/changes/<name>/specs/). While the skill suggests using openspec list for selection, it also allows the user to specify a name directly. Without explicit sanitization, a malicious name like ../../secrets could be used to attempt to read or write files outside the intended directory structure.

openspec-sync-specs