sdd-propose
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted input from exploration reports and user descriptions, creating a surface for indirect prompt injection (Category 8).
- Ingestion points: Untrusted data enters the agent context via the
mem_get_observationtool (retrieving exploration results) and direct user descriptions provided at runtime. - Boundary markers: The instructions do not define boundary markers or delimiters (like XML tags) to separate untrusted data from the system prompt.
- Capability inventory: The skill has significant capabilities, including filesystem writes (
openspec/changes/) and data persistence through themem_savetool. - Sanitization: There is no evidence of input validation, filtering, or sanitization of the external content before it is interpolated into the proposal template.
- [COMMAND_EXECUTION]: The skill performs directory and file operations on the local system as part of its core functionality.
- Evidence: Step 2 and Step 4 instruct the agent to create directory structures and write
proposal.mdfiles to theopenspec/path. - [DYNAMIC_EXECUTION]: The skill utilizes dynamic loading of additional instruction sets from computed paths.
- Evidence: Step 1 instructs the agent to load additional skills from a path provided in the launch prompt. This dynamic loading of instructions from paths determined at runtime is a potential vector for executing unintended logic if the path is manipulated.
Audit Metadata