openspec-loop

================================================================================

🔴 VERDICT: HIGH

This skill introduces a HIGH risk due to its design, which involves delegating the implementation of external 'OpenSpec' change proposals to subagents. The subagents are explicitly instructed to 'Implement all changes described in the spec' and 'Implement exactly what the task specifies using /openspec:apply '. This creates a significant indirect prompt injection vulnerability: if a malicious or untrusted spec is processed, the subagent could be prompted to execute arbitrary commands or perform other harmful actions. Furthermore, the skill's installation process and core functionality rely on external dependencies from an untrusted GitHub source and other unverified skills, posing an additional MEDIUM risk.

Total Findings: 2

🔴 HIGH Findings: • Indirect Prompt Injection

• SKILL.md:100, implementer-prompt.md:20: The subagent is instructed to 'Implement all changes described in the spec' and 'Implement exactly what the task specifies using /openspec:apply '. This means the content of the external spec is directly interpreted and executed by the subagent, creating a high risk of indirect prompt injection if a malicious spec is processed.

🟡 MEDIUM Findings: • Unverifiable Dependencies

• README.md:30, SKILL.md:144: The installation command npx skills add https://github.com/viteinfinite/skills --skill openspec-loop downloads from github.com/viteinfinite/skills. 'viteinfinite' is not a trusted GitHub organization. Additionally, the skill requires openspec:apply and openspec:archive skills, which are external and not provided for analysis, making them unverifiable dependencies.

================================================================================