speccy
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill documentation references a dependency on the 'create-specification' skill and provides an installation command for the author's own repository (slamb2k/mad-skills). This is a documented vendor resource.
- [COMMAND_EXECUTION]: The skill uses directory management commands (mkdir -p specs) to organize its output specifications.
- [COMMAND_EXECUTION]: The skill orchestrates workflows by invoking other functional skills such as 'create-specification' and 'build'.
- [PROMPT_INJECTION]: The skill processes local project files as context, which presents a surface for indirect prompt injection.
- Ingestion points: Reads CLAUDE.md, existing specifications, design documents, and source code in Stage 1.
- Boundary markers: The instructions do not define explicit delimiters or instructions to ignore potential commands embedded within the analyzed project files.
- Capability inventory: The skill has access to file system modification tools (Write, Edit), shell access (Bash), and the ability to trigger other agent skills (build).
- Sanitization: No explicit sanitization or filtering of the content retrieved from the analyzed project files is described.
Audit Metadata