sdd-apply
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically determines and executes test commands by reading project configuration files such as
openspec/config.yaml,package.json, andpyproject.toml. If these files are compromised or malicious, they could be used to execute arbitrary shell commands on the host system. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and strictly follows instructions from potentially untrusted project data, including
tasks.md, design documents, and specifications. It lacks boundary markers or sanitization for this data, allowing malicious instructions embedded in the project files to influence the agent's behavior. - [COMMAND_EXECUTION]: In Step 1, the skill is instructed to load additional skills from a path provided by the orchestrator at runtime. This dynamic loading of instructions can lead to the execution of unverified logic if the provided path is controlled by an attacker.
- [PROMPT_INJECTION]: The mandatory evidence chain for Indirect Prompt Injection (Category 8) is as follows:
- Ingestion points: Reads data from
tasks.md,config.yaml,package.json,pyproject.toml, project specifications, and design artifacts. - Boundary markers: The skill does not define or use explicit delimiters or warnings to ignore embedded instructions within the ingested project data.
- Capability inventory: The skill has the capability to write and modify local files, update memory artifacts via
mem_update/mem_save, and execute shell commands (test runners). - Sanitization: There is no evidence of sanitization, validation, or escaping of the content read from external files before it is processed or executed.
Audit Metadata