openspec-dev
Pass
Audited by Gen Agent Trust Hub on Jun 14, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands to perform repository management and automation tasks.\n
- Uses
git checkout,git pull,git add, andgit committo manage phase-specific branches and update status files.\n - Utilizes the GitHub CLI (
gh pr create) to programmatically generate pull requests for completed work phases.\n- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing untrusted markdown data to drive agent behavior.\n - Ingestion points: Extracts task descriptions and phase definitions from
openspec/changes/<change-id>/tasks.mdandproposal.mdas described in Step 1.\n - Boundary markers: There are no explicit delimiters or specific instructions to ignore malicious directives embedded within the task descriptions when they are passed to the subagent workflow.\n
- Capability inventory: The skill possesses capabilities for filesystem writes, git operations, and triggering the
superpowers:subagent-driven-developmentskill, which likely includes code execution permissions.\n - Sanitization: Content from the markdown files is interpolated directly into task plans for subagents without validation or escaping, allowing potentially malicious task descriptions to influence subagent actions.
Audit Metadata