specsmith
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It is designed to automatically ingest and process untrusted data from both the local codebase and external web sources to generate project specifications.
- Ingestion points: The agents/researcher.md subagent uses WebSearch, WebFetch, and Read tools to gather codebase architecture and internet-based best practices. The commands/openapi.md command uses Glob and Read to scan all route and schema definitions.
- Boundary markers: No specific delimiters or instructions to ignore embedded commands within the researched data are present in the prompts.
- Capability inventory: The subagent possesses Bash and WebFetch capabilities, allowing it to execute commands or reach external endpoints if successfully manipulated by injected instructions.
- Sanitization: There is no evidence of sanitization or filtering applied to the gathered research content before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill utilizes shell commands for legitimate project management tasks. The SKILL.md and commands/forge.md files use mkdir -p for directory initialization, and the agents/researcher.md subagent is granted Bash tool access to perform project inventory (e.g., ls -la). These operations are consistent with the skill's stated purpose.
Audit Metadata