Skills
NYC
skills/smithery/ai/openspec-to-beads/Gen Agent Trust Hub

openspec-to-beads

Warn

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION] (MEDIUM): Indirect Prompt Injection vulnerability via untrusted file ingestion.
  • Ingestion points: The skill reads proposal.md, tasks.md, and spec.md from the openspec/changes/ directory to drive its 'Intelligent Conversion Process'.
  • Boundary markers: None. The skill does not define delimiters or instructions to ignore embedded commands within the ingested files, making it susceptible to instructions hidden in specs.
  • Capability inventory: The skill has the capability to execute CLI commands (openspec, bd) and create persistence/tracking infrastructure (epics and issues).
  • Sanitization: No explicit sanitization or validation of the contents of the planning files is performed before they are processed by the LLM to generate commands.
  • [COMMAND_EXECUTION] (LOW): Execution of local CLI tools with interpolated parameters.
  • Evidence: The skill executes openspec show <change-name> and bd list. If the <change-name> variable or the contents of the referenced files contain shell metacharacters, it could lead to command injection depending on how the underlying agent handles subprocess execution.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Feb 16, 2026, 03:08 AM