The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection because its core logic involves reading and executing instructions from external, potentially untrusted project files.
Ingestion Points: The agent reads content from files specified in the contextFiles list (e.g., specs, tasks, design documents) and follows "dynamic instructions" from the openspec-cn instructions apply CLI output.
Boundary Markers: Absent. There are no delimiters or instructions to ignore embedded commands within the processed files, increasing the likelihood that the agent will obey malicious instructions hidden in documentation.
Capability Inventory: The agent has the authority to perform "required code changes" (file system writes) and execute CLI commands, providing a high-impact path for an injection attack.
Sanitization: No evidence of sanitization, filtering, or validation of the content found in external project files is present.
[COMMAND_EXECUTION] (MEDIUM): The skill relies on executing external binaries (openspec and openspec-cn) with dynamic parameters. While these are functional requirements, the reliance on local shell execution with arguments derived from the environment or project state creates an additional attack surface if the input variables are not strictly validated.

openspec-apply-change