spec-distill
Warn
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using variables derived from user input without adequate validation. In Phase 5, the command 'rm -rf scripts/staging/distill-/' is performed where is derived from the user-provided file path. Without sanitization, an attacker could potentially use directory traversal (e.g., '../../') to target unauthorized directories for deletion.
- [PROMPT_INJECTION]: The skill exhibits an Indirect Prompt Injection surface through the ingestion of untrusted markdown files. 1. Ingestion points: File content from the path provided in the '/spec-distill' command is read and passed to sub-agents. 2. Boundary markers: Absent. The sub-agent prompt lacks delimiters or instructions to ignore embedded commands within the specification content. 3. Capability inventory: The skill has the ability to read and write files, create directories, and execute shell commands like 'grep' and 'rm'. 4. Sanitization: Absent. No filtering or escaping is applied to the markdown content before it is processed by sub-agents.
- [DATA_EXFILTRATION]: The skill can be directed to read and process arbitrary local files via the input path argument. This allows a user to point the tool at sensitive files (such as configuration files or documentation containing secrets), causing the agent to extract and potentially expose the content within the generated skill package or staging directory.
Audit Metadata