openspec-propose
Pass
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the execution of shell commands through the
openspecCLI (e.g.,openspec new,openspec status,openspec instructions). These commands are used to create directory structures and retrieve metadata for artifact generation within the local environment. This behavior is consistent with the skill's stated purpose of automating development workflows. - [INDIRECT_PROMPT_INJECTION]: The skill processes JSON data returned by the
openspec instructionscommand, which includes templates and guidance for artifact creation. While this introduces a surface for indirect prompt injection from local configuration files, the skill includes explicit instructions for the agent to treat this data as constraints rather than direct content, and it operates within a local, user-initiated context. - Ingestion points: Data enters the context through the output of
openspec instructions <artifact-id> --change "<name>" --json(SKILL.md, Step 4a). - Boundary markers: The skill explicitly instructs the agent to use the data as constraints and 'do NOT copy , , <project_context> blocks into the artifact' (SKILL.md, Artifact Creation Guidelines).
- Capability inventory: The skill has access to shell execution (
bash) for CLI interaction and theTodoWritetool for progress management. - Sanitization: The agent is instructed to derive a 'kebab-case name' from user input before passing it to shell commands, which provides a layer of input sanitization.
Audit Metadata