Skills
skills/ahgraber/skills/spec-kit-specify/Gen Agent Trust Hub

spec-kit-specify

Pass

Audited by Gen Agent Trust Hub on Apr 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a local shell script at scripts/create-new-feature.sh to initialize feature branches and manage project metadata.
  • [PROMPT_INJECTION]: The skill processes untrusted user requirements and interpolates them into script arguments and generated specification files, presenting an indirect prompt injection surface.
  • Ingestion points: Full user request captured as feature description in SKILL.md (Workflow Step 01).
  • Boundary markers: No explicit delimiters are used to wrap or sanitize user input in the generated spec.md or script calls.
  • Capability inventory: Shell command execution via local scripts and file system writes to the repository.
  • Sanitization: No validation or escaping of the user-provided feature description is performed.
  • [EXTERNAL_DOWNLOADS]: References a specification template from an official repository on GitHub.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 13, 2026, 12:44 PM