openspec-apply-change
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating a
namevariable into strings such asopenspec status --change "<name>" --json. If the change name is sourced from untrusted user input or context and contains shell metacharacters (e.g., backticks or semicolons), it could result in unauthorized command execution. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and follows instructions from external context files (e.g., proposal, specs, design, tasks). An attacker who can influence these files could inject malicious directives that the agent would then implement as code changes. Evidence Chain: 1. Ingestion points: Reads files specified in the
contextFilesoutput of the CLI (SKILL.md Step 4). 2. Boundary markers: Absent; the skill does not instruct the agent to ignore or delimit instructions within the context files. 3. Capability inventory: Executes CLI commands, reads local files, and performs filesystem write operations to implement changes (SKILL.md Step 6). 4. Sanitization: Absent; there is no validation of the content read from context files.
Audit Metadata