openspec-verify-change
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill interpolates the
<name>variable directly into shell commands (e.g.,openspec-cn status --change "<name>"). If the variable is not properly sanitized by the agent framework, it could lead to command injection attacks. - [PROMPT_INJECTION] (HIGH): This skill exhibits a significant surface for Indirect Prompt Injection. It reads and parses external, potentially attacker-controlled content to perform its core logic.
- Ingestion points: The skill reads
tasks.md, incremental specification files inopenspec/changes/<name>/specs/, and various source code files across the repository. - Boundary markers: None are specified; the agent is instructed to directly parse and interpret the requirements and scenarios found within these files.
- Capability inventory: The agent has the ability to execute local CLI commands and access the filesystem.
- Sanitization: No sanitization or validation of the content within the specs/tasks is mentioned, allowing malicious instructions embedded in documentation to potentially influence agent behavior during the verification phase.
Recommendations
- AI detected serious security threats
Audit Metadata