Skills
skills/kw12121212/slim-spec-driven/spec-driven-propose/Gen Agent Trust Hub

spec-driven-propose

Pass

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests data from local project files that could be controlled by an attacker (e.g., in a collaborative repository or via a malicious Pull Request).
  • Ingestion points: The agent reads .spec-driven/config.yaml, .spec-driven/specs/INDEX.md, and various markdown files referenced in the index (SKILL.md, Step 2).
  • Boundary markers: The instructions do not specify any delimiters or warnings to ignore embedded instructions within the ingested project files.
  • Capability inventory: The skill has the ability to execute shell commands (node, ls) and write numerous files to the filesystem (SKILL.md, Steps 3, 6, and 9).
  • Sanitization: There is no mention of sanitizing or validating the content read from the project files before it is used to influence the agent's output or logic.
  • [COMMAND_EXECUTION]: The skill executes local scripts using the node runtime, passing user-provided input as arguments.
  • Evidence: The commands node {{SKILL_DIR}}/scripts/spec-driven.js propose <name> and node {{SKILL_DIR}}/scripts/spec-driven.js verify <name> (SKILL.md, Steps 3 and 9) use a variable <name> obtained directly from the user. While the instructions suggest a 'kebab-case' format, there is a risk of command injection if the execution environment or the script itself does not properly escape or validate this input.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 26, 2026, 02:18 PM