openspec-dev

Pass

Audited by Gen Agent Trust Hub on Jun 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes shell commands to perform repository management and automation tasks.\n
  • Uses git checkout, git pull, git add, and git commit to manage phase-specific branches and update status files.\n
  • Utilizes the GitHub CLI (gh pr create) to programmatically generate pull requests for completed work phases.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted markdown data to drive agent behavior.\n
  • Ingestion points: Extracts task descriptions and phase definitions from openspec/changes/<change-id>/tasks.md and proposal.md as described in Step 1.\n
  • Boundary markers: There are no explicit delimiters or specific instructions to ignore malicious directives embedded within the task descriptions when they are passed to the subagent workflow.\n
  • Capability inventory: The skill possesses capabilities for filesystem writes, git operations, and triggering the superpowers:subagent-driven-development skill, which likely includes code execution permissions.\n
  • Sanitization: Content from the markdown files is interpolated directly into task plans for subagents without validation or escaping, allowing potentially malicious task descriptions to influence subagent actions.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 14, 2026, 03:30 AM
Security Audit — agent-trust-hub — openspec-dev