ai-create-techspec
Warn
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using bash and git to manage an Obsidian vault, specifically running git add, git commit, and git push directly on the host filesystem. \n
- Evidence: The script block provided in the 'Output to Obsidian' section of SKILL.md. \n
- Risk: Potential for shell command injection if the feature identifier or commit message contains malicious shell characters (e.g., backticks, semi-colons, or unmatched quotes) that are not properly escaped before being passed to the shell. \n- [DATA_EXFILTRATION]: The skill reads data from the user's home directory ($HOME/Documents/obsidian/obsidian) and pushes it to a remote repository via git push. \n
- Evidence: Use of $HOME/Documents/obsidian/obsidian as the default vault root and the execution of git push. \n
- Risk: If the git origin points to an untrusted or attacker-controlled repository, any content in the vault (including potentially sensitive PRDs or technical specs) would be exfiltrated. \n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it reads and processes Product Requirement Documents (PRDs) from the local vault. \n
- Ingestion points: engineering//workplans//prd.md (read using the Read tool in SKILL.md). \n
- Boundary markers: Absent. The skill does not use specific delimiters or instructions to ignore embedded commands within the PRD content. \n
- Capability inventory: Shell access (bash/git), file system modification (Write, Edit), and network access (git push). \n
- Sanitization: Absent. No evidence of validating or escaping the content read from the PRD before processing it or including it in generated documents.
Audit Metadata