spec-driven-archive
Pass
Audited by Gen Agent Trust Hub on May 29, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill uses local Node.js scripts to manage an archival workflow. The use of relative paths for script locations indicates a specific project structure dependency but does not constitute an exploit pattern.
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by reading and merging content from delta specification files.
- Ingestion points: Delta spec files located in
.spec-driven/changes/<name>/specs/. - Boundary markers: Instructions specify processing content specifically within
### Requirement:blocks. - Capability inventory: File system write access and local script execution (
node) within the project directory. - Sanitization: No explicit sanitization or validation of the requirement block content is performed before merging into main specifications.
Audit Metadata