spec-stack

Fail

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The scripts/install.sh script downloads the uv package manager's installation script from astral.sh, which is a well-known technology service. It also retrieves the spec-kit repository from GitHub and installs various Python packages from the official registry.
  • [REMOTE_CODE_EXECUTION]: The installer script uses a common pattern of piping a remote script from astral.sh directly into the shell (sh) for execution.
  • [COMMAND_EXECUTION]: The skill's primary function involves executing several CLI tools, including specify, cli-hub, and ouroboros, through shell commands to manage the spec-to-artifact pipeline.
  • [PROMPT_INJECTION]: The skill processes external data, including user-authored specification files and structured JSON output from CLI harnesses, which presents an indirect prompt injection surface.
  • Ingestion points: Specification files (e.g., spec.md, plan.md) and CLI tool output processed during the evaluate step.
  • Boundary markers: No explicit markers or warnings are used to distinguish between instructions and data.
  • Capability inventory: The skill utilizes shell execution (Bash) and file system access (Read, Write, Edit, Glob).
  • Sanitization: The instructions do not describe any sanitization or validation of the ingested external content.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 17, 2026, 07:07 AM
Security Audit — agent-trust-hub — spec-stack