openspec-apply-change
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the 'openspec' CLI tool using subcommands like 'list', 'status', and 'instructions' to retrieve project state and task details. This is the intended behavior of the skill but involves local shell command execution.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through external data ingestion. It reads content from artifacts like proposals, specs, designs, and task files, and follows the instructions contained within to modify the codebase.\n
- Ingestion points: Content is read from 'contextFiles' and task artifacts as directed by the 'openspec' CLI output (SKILL.md, Steps 4 and 6).\n
- Boundary markers: Absent. The skill instructions do not define delimiters or provide guidance to the agent to disregard instructions embedded within the ingested files.\n
- Capability inventory: The skill allows the agent to modify local source code and execute CLI commands based on task descriptions, providing a vector for malicious actions if task files are compromised.\n
- Sanitization: Absent. There is no validation or filtering step to ensure the safety of instructions read from external project files before they are implemented as code changes.
Audit Metadata