openspec-archive-change
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands such as
openspec status --change "<name>"andmv openspec/changes/<name> .... The<name>variable is sourced from user input or conversation context. Although the instructions use double quotes for interpolation, there is no explicit requirement to sanitize the input for shell metacharacters, which could lead to unintended command behavior if the change name is maliciously crafted. - [PROMPT_INJECTION]: The skill processes untrusted data from external sources, specifically the contents of
tasks.mdand the JSON output of theopenspecCLI. This constitutes an indirect prompt injection surface. - Ingestion points: The agent reads the
tasks.mdfile in Step 3 and parses CLI output in Step 2. - Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate potential natural language instructions embedded within
tasks.mdor the CLI output. - Capability inventory: The agent has the capability to create directories (
mkdir), move files (mv), and execute project-specific CLI tools (openspec). - Sanitization: No sanitization or validation logic is specified for the content read from
tasks.mdbefore it is processed by the agent.
Audit Metadata