specs
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): The skill directs users to install and initialize the 'speckit' tool from an untrusted repository. \n
- Evidence:
tools/speckit/SKILL.mdcontains instructions fornpx speckit initandpip install speckit. \n - Risk: The source
github/spec-kitis not on the trusted external source list, leading to potential execution of malicious remote code during installation. \n- PROMPT_INJECTION (HIGH): The 'speckit' sub-skill defines an end-to-end automated workflow that lacks security boundaries for external data. \n - Ingestion points: Untrusted natural-language prompts enter the system via the
/speckit.specifycommand. \n - Boundary markers: Absent; there are no instructions to delimit or ignore instructions within the generated specifications. \n
- Capability inventory: The
/speckit.implementcommand has the capability to write and execute code across the entire project based on the (potentially poisoned) specification. \n - Sanitization: Absent; no validation or filtering is mentioned for the transition from user prompt to implementation. \n- COMMAND_EXECUTION (MEDIUM): Initialization of the recommended tooling involves modifying the agent's core configuration files. \n
- Evidence:
tools/speckit/SKILL.mdexplicitly states that it 'installs its slash commands into your project's agent configuration folder (.claude/, .github/prompts/, .cursor/, etc.)'. \n - Risk: This allows an external tool to persist and modify the agent's behavior across sessions without manual verification of the injected prompts.
Recommendations
- AI detected serious security threats
Audit Metadata