openspec-archive-change
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface detected.
- Ingestion points: The skill reads content from
tasks.mdand spec files within theopenspec/directory structure to assess completion and synchronization state. - Boundary markers: Absent. The instructions do not define delimiters or provide specific warnings to the agent to disregard potential instructions embedded within the processed file content.
- Capability inventory: The skill utilizes shell command execution (via the
openspecCLI,mkdir, andmvcommands) and file system access. - Sanitization: None. The skill processes data from external files without validation or escaping logic.
- [COMMAND_EXECUTION]: Potential for command injection through shell parameter interpolation.
- The skill constructs shell commands using a variable name, such as
openspec status --change "<name>" --jsonandmv openspec/changes/<name> .... - If the change name is derived from untrusted input and contains shell metacharacters (e.g.,
;,&&,|), it could lead to the execution of arbitrary commands on the system.
Audit Metadata