The Agent Skills Directory

[COMMAND_EXECUTION]: The skill constructs and executes shell commands using the openspec CLI, such as openspec new change "<name>". The <name> parameter is derived from user-provided descriptions. Although the instructions tell the agent to format this as kebab-case, a failure to strictly sanitize this input could allow for command injection if the user provides a string that breaks out of the shell command context.
[PROMPT_INJECTION]: The skill has a surface for indirect prompt injection (Category 8) by ingesting data from external files and CLI outputs to guide its behavior. Ingestion points: Step 4a in SKILL.md reads JSON data (including context, rules, and instruction fields) from the openspec instructions command and parses content from local dependency files. Boundary markers: The skill includes instructions to the agent not to copy specific blocks into the output, but it lacks robust, formal delimiters to isolate untrusted content. Capability inventory: The skill performs shell command execution (openspec) and file-writing operations based on processed templates. Sanitization: No explicit validation or filtering of the ingested instruction content or dependency file data is performed before it is used as a constraint for generating new artifacts.

openspec-ff-change