spec-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: CRITICALPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8) as it processes external user requirements and incorporates them into documentation files.
- Ingestion points: User-provided requirement details and architectural constraints enter the agent context during Phase 1 (Requirements) and Phase 2 (Design) and are saved to files in the
specs/directory. - Boundary markers: The skill does not define or use delimiters (such as XML tags or specific block separators) to isolate untrusted user data when writing to
requirements.mdordesign.md, nor does it instruct the agent to ignore instructions embedded within that data. - Capability inventory: The agent is authorized to write markdown files to the local file system and utilize the
interactiveDialogtool for user communication. - Sanitization: The workflow does not include sanitization, validation, or escaping logic to ensure that user-provided text does not contain malicious instructions that could influence subsequent steps of the agent's workflow.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata