openspec-verify-change
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill dynamically constructs shell commands using the
<name>variable (e.g.,openspec status --change "<name>" --json). Because this variable can be 'specified' by the user or 'inferred from conversation context' without explicit sanitization or escaping, an attacker could provide a malicious change name containing shell metacharacters (e.g.,; rm -rf /;) to execute arbitrary commands on the host system. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requires the
openspecCLI to be installed and available in the environment. This tool and its author are not part of the defined list of trusted organizations or repositories, posing a supply chain risk. - [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data from the local environment to generate reports.
- Ingestion points:
tasks.md,design.md, delta spec files inopenspec/changes/<name>/specs/, and the general codebase. - Boundary markers: Absent; the skill reads these files directly and parses their content (e.g., looking for '### Requirement:') without delimiters to isolate instructions from data.
- Capability inventory: Shell command execution via the
openspecCLI. - Sanitization: Absent; the skill relies on the LLM to 'parse' and 'assess' content without technical filtering of malicious instructions embedded in specs or code comments.
Recommendations
- AI detected serious security threats
Audit Metadata