openspec-ff-change
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes shell commands using the openspec CLI to manage project state and generate artifacts. These operations rely on an external dependency that is not part of the trusted vendor list.
- [PROMPT_INJECTION]: Subject to indirect prompt injection risks. The skill reads content from existing artifact files and CLI output to inform the generation of new ones, which could allow malicious instructions in those files to influence the agent's behavior.
- Ingestion points: Reads local artifact files from the openspec/changes/ directory and instructions from the openspec CLI.
- Boundary markers: The skill does not define specific delimiters or instructions to ignore content within the dependency files or JSON context.
- Capability inventory: Can execute openspec CLI commands and write files to the local filesystem.
- Sanitization: No content validation or sanitization is performed on the data read from dependencies.
- [PROMPT_INJECTION]: The skill metadata identifies the author as openspec, which conflicts with the system-identified author, sillsdev. This discrepancy is deceptive and could lead to misjudgment of the skill's origin.
Audit Metadata