spec-driven
Pass
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill follows a strict phased approach (Clarify, Specify, Design, Implement, Validate) for software development.
- [SAFE]: It implements mandatory 'Approval Gates' that prevent the AI agent from proceeding to implementation or destructive actions without explicit user confirmation.
- [SAFE]: The
references/CHECKLIST.mdfile specifically includes security verification steps such as checking for SQL injection, XSS, and credential leakage in logs, demonstrating a security-conscious design. - [DATA_EXPOSURE]: While the skill uses
ReadandBashtools to analyze the codebase for 'spec-drift' detection, these operations are scoped to the local project directory and are part of the primary functional purpose of the skill. No evidence of unauthorized data transmission or exfiltration was found. - [INDIRECT_PROMPT_INJECTION]: The skill processes external data by reading the local codebase (
Explore,Read,Grep). This constitutes an attack surface where malicious comments in a repository could attempt to influence the agent. However, the risk is mitigated by the mandatory human review checkpoints required before any code is modified or executed.
Audit Metadata