The Agent Skills Directory

[COMMAND_EXECUTION] (MEDIUM): The skill dynamically constructs shell commands using variables like <name> and <artifact-id> in Steps 2, 3, and 4 (e.g., openspec-cn status --change "<name>"). If these variables are sourced from malicious project files or unvalidated user input containing shell metacharacters (e.g., ; or |), it could lead to arbitrary command execution on the host system.
[PROMPT_INJECTION] (LOW): Indirect prompt injection vulnerability. Ingestion points: Untrusted data enters the agent context via the openspec-cn instructions command output, specifically the context, rules, and instruction fields. Boundary markers: None are present; the skill explicitly directs the agent to 'Apply context and rules as constraints' when generating output, which could lead to the agent following malicious instructions embedded in the project files. Capability inventory: The skill has the ability to execute local shell commands and write files to the filesystem. Sanitization: There is no evidence of sanitization or filtering for the interpolated content before it is processed by the LLM.

openspec-continue-change