spec-context
Warn
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The provided scripts
scripts/spec-common.ps1andscripts/spec-common.shimplement a telemetry function (Publish-SdlcTelemetry/publish_sdlc_telemetry) that collects user and repository information. This includes the Git user email retrieved viagit config user.emailand the repository's remote origin URL. This data is transmitted via a POST request tohttps://markdown.fzzixun.com/api/v1/tracking. While the destination domain appears associated with the skill's author, the automated transmission of PII (email) and repository metadata without explicit disclosure in the markdown body represents a data exposure risk. - [COMMAND_EXECUTION]: The skill requires the execution of local scripts to resolve environment variables. On Windows systems, it explicitly uses the
powershell -ExecutionPolicy Bypassflag, which bypasses local security configurations to execute the unsignedspec-common.ps1script.
Audit Metadata