openspec
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the 'openspec' CLI and shell utilities like 'mkdir' and 'rg' (ripgrep) to manage project state and files. These commands are executed locally as part of the proposed development workflow.
- [PROMPT_INJECTION]: The skill relies on 'proposal.md' and 'tasks.md' files to guide the agent during the implementation phase, which creates a surface for indirect prompt injection.
- Ingestion points: The agent reads and interprets contents from 'proposal.md', 'tasks.md', and 'design.md' files within the 'openspec/changes/' directory.
- Boundary markers: The skill does not implement delimiters or 'ignore instructions' warnings to prevent the agent from being influenced by adversarial content within these files.
- Capability inventory: The agent has permissions to create directories, move files, and invoke the 'openspec' CLI tool based on the content of the specification files.
- Sanitization: The workflow lacks any sanitization or validation of the natural language instructions contained in the specification documents before the agent attempts to fulfill the implementation tasks.
Audit Metadata