spec-stack
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/install.shscript downloads theuvpackage manager's installation script fromastral.sh, which is a well-known technology service. It also retrieves thespec-kitrepository from GitHub and installs various Python packages from the official registry. - [REMOTE_CODE_EXECUTION]: The installer script uses a common pattern of piping a remote script from
astral.shdirectly into the shell (sh) for execution. - [COMMAND_EXECUTION]: The skill's primary function involves executing several CLI tools, including
specify,cli-hub, andouroboros, through shell commands to manage the spec-to-artifact pipeline. - [PROMPT_INJECTION]: The skill processes external data, including user-authored specification files and structured JSON output from CLI harnesses, which presents an indirect prompt injection surface.
- Ingestion points: Specification files (e.g.,
spec.md,plan.md) and CLI tool output processed during the evaluate step. - Boundary markers: No explicit markers or warnings are used to distinguish between instructions and data.
- Capability inventory: The skill utilizes shell execution (Bash) and file system access (Read, Write, Edit, Glob).
- Sanitization: The instructions do not describe any sanitization or validation of the ingested external content.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata