spec-analyze
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The skill executes a local script located at '.specify/scripts/bash/check-prerequisites.sh' as part of its initialization workflow. While the path is static, shell execution is a high-capability operation that requires the script itself to be secure.
- [PROMPT_INJECTION] (LOW): The skill exhibits an Indirect Prompt Injection surface by ingesting untrusted content. 1. Ingestion points: 'spec.md', 'plan.md', 'tasks.md', and 'constitution.md' (referenced in SKILL.md). 2. Boundary markers: Absent; there are no explicit delimiters or instructions for the agent to ignore commands within these documents. 3. Capability inventory: The skill has the ability to execute local bash scripts (SKILL.md). 4. Sanitization: Absent; no sanitization or escaping of the ingested document content is described prior to analysis.
Audit Metadata