Skills
skills/danielsogl/copilot-workflow-demo/openspec-apply-change/Gen Agent Trust Hub

openspec-apply-change

Pass

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the openspec CLI to perform operations such as listing changes, checking status, and fetching implementation instructions. It interpolates change names (which can be derived from user input or conversation context) into shell commands (e.g., openspec status --change "<name>" --json). While the instructions use double quotes to wrap the variable, this remains a potential point of command injection if the agent does not properly sanitize the input.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by consuming and acting upon data returned from the openspec CLI.
  • Ingestion points: The skill reads contextFiles, a list of tasks, and a dynamic instruction field from the JSON output of openspec instructions apply --json.
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore or isolate potentially malicious natural language instructions contained within the CLI output.
  • Capability inventory: The skill possesses the capability to execute shell commands via the openspec tool, read arbitrary files listed in the contextFiles output, and modify task files (e.g., toggling markdown checkboxes).
  • Sanitization: There is no validation or sanitization of the file paths or dynamic instructions returned by the CLI before the agent processes them.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 2, 2026, 12:09 AM