spec-step-execution
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its core design of literal instruction following from external data.
- Ingestion points: The skill reads and processes external data from 'Spec file path' and 'Research file path' (SKILL.md).
- Boundary markers: No delimiters or defensive instructions are used to distinguish between the skill's logic and the potentially malicious instructions within the spec file.
- Capability inventory: The skill is granted broad execution permissions, including 'Run commands, tests, builds as needed', 'Invoke skills', 'Spawn focused sub-agents', and artifact modification.
- Sanitization: There is no evidence of sanitization or validation of the spec content; the instruction to 'Follow the spec literally' (Process Step 3) explicitly encourages the agent to obey any instructions found within the untrusted file.
- [COMMAND_EXECUTION] (HIGH): The 'Available Tools' section explicitly authorizes the agent to 'Run commands, tests, builds as needed'. When combined with the lack of input validation on the spec file, this creates a direct path for remote attackers to execute arbitrary shell commands on the host system.
Recommendations
- AI detected serious security threats
Audit Metadata