spec-engineer
Warn
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly generates and facilitates the execution of shell commands. In Phase 3, it provides templates for a 'Self-Fix-Protocol' that includes bash commands for building (npm run build), testing (pytest, playwright), and version control (git add, git commit). Phase 4 further encourages the agent to 'directly get started' with execution upon user approval.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from the local project environment and incorporates it into instructions for downstream agents.
- Ingestion points: In Phase 1, the skill reads project-level files such as package.json, README.md, CLAUDE.md, and AGENTS.md, as well as the current conversation context.
- Boundary markers: The skill lacks delimiters or explicit instructions to ignore potentially malicious directions embedded within the ingested project files.
- Capability inventory: The skill possesses the ability to write files (SPEC.md and prompt files) and provides a structured path for shell command execution via generated bash scripts.
- Sanitization: No sanitization, escaping, or validation of the content read from the project files is performed before it is interpolated into the generated specifications or agent prompts.
Audit Metadata