openspec-design

The extension's functionality aligns with its stated goal (automating design asset ingestion and documenting it in the repo). However, several high-impact security risks are present: mandatory outbound MCP calls (exfiltration risk), copying arbitrary local files into the repository (sensitive-file disclosure), and automated modification of a central agents policy file (privileged repo-write risk). The code is not overtly malicious based on the fragment, but it enables behaviors that could be abused or cause accidental data exposure. Recommended mitigations before use: require explicit per-action user consent for external MCP calls and for copying local files; restrict copying to a whitelist of safe image types and vetted directories; validate asset content-types and sizes; require human review or a pull-request workflow for any edits to openspec/AGENTS.md; and mandate secure MCP authentication (TLS, scoped/ephemeral tokens) and logging of MCP interactions. Treat this module as medium-risk until safeguards are implemented.