openspec-to-beads
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill ingests untrusted data from local specification files (e.g., tasks.md, proposal.md) to drive its issue conversion logic, which could be exploited to influence agent behavior. Evidence Chain: (1) Ingestion points: reads files from
openspec/changes/. (2) Boundary markers: Absent; the prompt does not define explicit delimiters to isolate external data from internal logic. (3) Capability inventory: ExecutesopenspecandbdCLI tools and performs file system reads. (4) Sanitization: Absent; the process relies on the AI's internal reasoning rather than programmatic filtering. - [Data Exposure & Exfiltration] (SAFE): File access is restricted to the skill's specific data directory (
openspec/changes/). No sensitive system paths or network exfiltration patterns were found. - [Command Execution] (SAFE): Uses specific CLI tools (
openspec,bd) for their intended purpose. No arbitrary command execution or shell piping from untrusted sources was detected.
Audit Metadata