speckit-checklist
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill workflow begins by executing a local shell script located at
.specify/scripts/bash/check-prerequisites.sh. This script is part of the repository's internal tooling and is used to derive configuration variables for subsequent steps. Execution of shell scripts poses a risk if the script content is malicious or can be influenced by local environmental factors. - [DATA_EXFILTRATION]: The skill creates and writes to a directory
FEATURE_DIR/checklists/. While this is intended for checklist generation, the capability to create directories and write files could be misused to write data to unauthorized locations on the local filesystem. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted content from local markdown files (
spec.md,plan.md,tasks.md) and incorporates it into the agent's generation context. - Ingestion points: Content is read from
spec.md,plan.md, andtasks.mdwithin the dynamically determinedFEATURE_DIR. - Boundary markers: The instructions do not specify the use of delimiters (such as XML tags or triple backticks) or explicit 'ignore embedded instructions' warnings when processing the content of these files.
- Capability inventory: The skill possesses the ability to execute shell scripts (
check-prerequisites.sh), read various project files, and write new files to the filesystem. - Sanitization: No evidence of sanitization, validation, or escaping of the ingested markdown content is present before it is used to generate the final checklist output.
Audit Metadata