openspec-apply-change
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands using the
openspecCLI, interpolating the change name directly into the command string (e.g.,openspec status --change "<name>" --json). Although the variable is wrapped in double quotes, this can still be vulnerable to command injection in certain shell environments if the input contains subshell expansion characters like$()or backticks. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it reads external documentation and task lists to derive its implementation steps.
- Ingestion points: Reads content from files listed in
contextFiles(such astasks.md,specs.md, anddesign.md) provided by the CLI output. - Boundary markers: Absent. The skill does not employ specific delimiters or system instructions to ignore potential malicious prompts embedded within the specifications it reads.
- Capability inventory: The agent has the authority to read local files, modify source code, and execute the
openspecCLI based on instructions found in the ingested data. - Sanitization: No sanitization, filtering, or validation is performed on the content of the context files before the agent begins implementation tasks.
Audit Metadata