sdd-spec
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes external content from proposals and existing specifications without sufficient isolation. 1. Ingestion points: Data enters the context via the
mem_get_observationtool and filesystem reads fromopenspec/specs/. 2. Boundary markers: The skill instructions do not utilize specific delimiters or escape sequences to distinguish between ingested data and agent instructions. 3. Capability inventory: The skill possesses the ability to write to the memory system (mem_save) and the local filesystem in certain modes. 4. Sanitization: No evidence of input validation, filtering, or sanitization of the retrieved content is present. - [REMOTE_CODE_EXECUTION]: The skill employs a dynamic loading mechanism where it is instructed to load additional skill instructions from a path provided at runtime within the launch prompt. This pattern allows for the extension of the agent's logic based on external input, which could be exploited if the provided path points to untrusted or malicious instructions.
Audit Metadata