inspector
Warn
Audited by Gen Agent Trust Hub on May 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
commitssubcommand (defined inreferences/commits.md) accepts a user-provided range argument which is passed directly to a shell command (git log --oneline --name-status <range>). This presents a potential command injection surface if the range string is not strictly validated or sanitized by the executing agent. - [COMMAND_EXECUTION]: High-impact subcommands such as
review-workandreconcileare authorized to perform autonomous modifications to both project specifications and the application codebase (see Step 3 inreferences/review-work.md). While this is the intended functionality, the ability of the agent to generate and apply its own code changes represents a significant security risk if the agent's reasoning is influenced by malicious input. - [DATA_EXFILTRATION]: The
sync-linearsubcommand (defined inreferences/sync-linear.md) transmits content from local specification files (proposal.mdandtasks.md) to the Linear project management platform. This is a legitimate feature for this well-known service, but users should be aware that architectural and logic descriptions are shared with an external third party. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection because it processes untrusted documentation and task files from the repository and uses that content to drive automated auditing and remediation tasks.
- Ingestion points: Multiple markdown files within the
openspec/changes/directory are read during analysis (Step 1 in auditing references). - Boundary markers: Artifact content is inlined directly into specialist agent briefs (e.g.,
references/review.mdStep 2) without the use of boundary delimiters or specific instructions to ignore embedded prompts. - Capability inventory: File system read/write/edit access, shell command execution (
git), and access to the Linear integration. - Sanitization: No validation or sanitization of the artifact content is performed; the agent treats instructions or requirements found in these files as authoritative data for its operations.
Audit Metadata