openspec-sync-specs
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It reads 'delta spec' files from
openspec/changes/<name>/specs/*/spec.mdand treats their content as instructions for performing an 'intelligent merge' into main specification files. An attacker with the ability to modify these delta files could inject instructions to manipulate the agent's behavior. - Ingestion points: delta spec files located at
openspec/changes/<name>/specs/*/spec.md. - Boundary markers: Absent. The agent is instructed to read and 'understand' the changes without explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: The skill can read and write files within the
openspec/directory and execute theopenspecCLI tool. - Sanitization: Absent. The skill relies on the agent's judgment to apply changes, which provides a surface for instruction following from the processed data.
- [COMMAND_EXECUTION]: The skill executes the
openspec list --jsoncommand to retrieve a list of available changes. This is a functional requirement of the skill and uses the vendor's own CLI tool.
Audit Metadata