spec-kit
Pass
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
specify-clitool from the official GitHub organization repository (github.com/github/spec-kit), which is a trusted source. It also provides installation commands via the author's repository on GitHub, consistent with vendor distribution practices. - [REMOTE_CODE_EXECUTION]: The
scripts/install.shfile includes a documented instruction for installing theuvtool fromastral.sh. Astral is a well-known technology provider, and the command is presented as an informative error message for manual setup rather than being executed automatically by the skill. - [COMMAND_EXECUTION]: The skill uses standard package managers and the
specifyCLI to perform project initialization and drive the development pipeline. These operations are within the expected scope of a development-oriented agent skill. - [DATA_EXPOSURE]: No unauthorized access to sensitive files or environment variables was detected. The skill primarily interacts with specification files and configuration within the local project directory.
Audit Metadata