openspec-explore
Pass
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Executes the local
openspecCLI tool (openspec list --json) to retrieve project status and change context. This is a legitimate use of the vendor's own tool as defined in the skill's requirements. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it is designed to ingest and analyze untrusted data from the local filesystem.
- Ingestion points: Reads arbitrary files within the local codebase for investigation and specifically accesses OpenSpec artifacts (e.g.,
proposal.md,design.md) within theopenspec/changes/directory. - Boundary markers: The instructions lack explicit boundary markers or delimiters to differentiate between the agent's instructions and the content retrieved from external files.
- Capability inventory: The skill has the ability to read local files, execute the
openspecCLI, and write or update Markdown artifacts (proposals, designs, specs) based on the discussion. - Sanitization: There are no instructions provided to sanitize, escape, or ignore potentially malicious instructions embedded within the processed codebase files.
Audit Metadata