Skills
skills/gsmlg-dev/code-agent/cmd-speckit-clarify/Gen Agent Trust Hub

cmd-speckit-clarify

Pass

Audited by Gen Agent Trust Hub on Apr 27, 2026

Risk Level: SAFEPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill processes potentially untrusted data from local project files and user input.
  • Ingestion points: The agent reads spec.md, files within .specify/specs/*/, and .specify/memory/constitution.md, as well as processing user input via the {{INPUT}} placeholder.
  • Boundary markers: The skill lacks explicit boundary markers or delimiters to isolate untrusted file content from the system instructions.
  • Capability inventory: The skill has the capability to read local files, modify/update specification files (Step 6), and invoke secondary commands like /speckit.plan.
  • Sanitization: There is no evidence of input validation or sanitization of the content being read from the project files before it is incorporated into the agent's reasoning loop.
Audit Metadata
Risk Level
SAFE
Analyzed
Apr 27, 2026, 07:41 AM
Security Audit — agent-trust-hub — cmd-speckit-clarify