spec-workflow
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill is designed to ingest untrusted user input (requirements) and write that content into structured documentation files, creating a potential surface for indirect prompt injection.
- Ingestion points: User-provided requirements and feature descriptions in Phase 1.
- Boundary markers: Absent; the prompt instructions do not specify the use of delimiters or 'ignore instructions' warnings when writing user content to files.
- Capability inventory: The skill has file-writing capabilities within the 'specs/' directory.
- Sanitization: Absent; no validation or escaping of user input is defined.
- Mitigation: The workflow mandates explicit user confirmation at the end of every phase, ensuring a human-in-the-loop review of the agent's output before it proceeds to execution.
- External Downloads (SAFE): An automated scanner alert flagged 'requirements.md' as a malicious URL. This is a false positive.
- Evidence: Analysis of the skill text shows 'requirements.md' is used exclusively as a local filename for document storage ('specs/spec_name/requirements.md'). There are no network requests, 'curl' commands, or external URLs present in the skill content.
- Command Execution (SAFE): No unauthorized command execution, privilege escalation, or shell access patterns were detected.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata