openspec-archive-change
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands (
mkdir,mv) and vendor CLI tools (openspec) that incorporate variables such as<name>. If these variables contain shell metacharacters (e.g.,;,&&,|) and are not sanitized by the execution environment, it could lead to arbitrary command execution on the host system.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the file system and includes it in prompts sent to sub-agents via the Task tool.\n - Ingestion points: Reads task completion statuses from
tasks.mdand reads the content of delta specification files from theopenspec/changes/<name>/specs/directory.\n - Boundary markers: The prompt instructions for the sub-agent in Step 4 do not use explicit delimiters (like XML tags or triple quotes) or provide warnings to ignore instructions embedded within the file summaries.\n
- Capability inventory: The skill has the ability to execute shell commands, read/write files in the local project directory, and invoke other agent skills/tools.\n
- Sanitization: There is no evidence of content validation or sanitization for the data retrieved from
tasks.mdor delta specs before it is passed to the next step in the workflow.
Audit Metadata