ai-create-techspec

Warn

Audited by Gen Agent Trust Hub on Jul 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands using bash and git to manage an Obsidian vault, specifically running git add, git commit, and git push directly on the host filesystem. \n
  • Evidence: The script block provided in the 'Output to Obsidian' section of SKILL.md. \n
  • Risk: Potential for shell command injection if the feature identifier or commit message contains malicious shell characters (e.g., backticks, semi-colons, or unmatched quotes) that are not properly escaped before being passed to the shell. \n- [DATA_EXFILTRATION]: The skill reads data from the user's home directory ($HOME/Documents/obsidian/obsidian) and pushes it to a remote repository via git push. \n
  • Evidence: Use of $HOME/Documents/obsidian/obsidian as the default vault root and the execution of git push. \n
  • Risk: If the git origin points to an untrusted or attacker-controlled repository, any content in the vault (including potentially sensitive PRDs or technical specs) would be exfiltrated. \n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it reads and processes Product Requirement Documents (PRDs) from the local vault. \n
  • Ingestion points: engineering//workplans//prd.md (read using the Read tool in SKILL.md). \n
  • Boundary markers: Absent. The skill does not use specific delimiters or instructions to ignore embedded commands within the PRD content. \n
  • Capability inventory: Shell access (bash/git), file system modification (Write, Edit), and network access (git push). \n
  • Sanitization: Absent. No evidence of validating or escaping the content read from the PRD before processing it or including it in generated documents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 7, 2026, 02:45 PM
Security Audit — agent-trust-hub — ai-create-techspec