The Agent Skills Directory

[COMMAND_EXECUTION]: The skill legitimately executes the openspec CLI tool (e.g., openspec status, openspec list, openspec instructions) to retrieve project metadata and state. These commands are necessary for the skill's stated purpose of managing development workflows.
[DATA_ACCESS]: The skill reads project files identified as 'dependencies' and writes new files to the outputPath provided by the CLI. This behavior is restricted to the local project environment and aligns with the expected function of an artifact creation tool.
[INDIRECT_PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests untrusted data from external sources.
Ingestion points: The skill parses JSON output from the openspec CLI (specifically the context, rules, and instruction fields) and reads the content of existing project files marked as dependencies.
Boundary markers: No explicit delimiters or 'ignore' instructions are used to wrap the data retrieved from the CLI or files.
Capability inventory: The skill has the capability to execute shell commands (openspec), read local files, and write local files.
Sanitization: There is no evidence of sanitization or validation of the content retrieved from external files before it is processed by the agent.
Risk Assessment: While the attack surface exists, the risk is inherent to the tool's purpose of following project specifications. The prompt includes instructions to use context and rules as constraints rather than directly copying them, which acts as a logical barrier.

openspec-continue-change