Skills
skills/staruhub/claudeskills/Geek-skills-openspec-propose/Gen Agent Trust Hub

Geek-skills-openspec-propose

Pass

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and obeys instructions (specifically the instruction, rules, and context fields) fetched from an external CLI tool (openspec instructions).
  • Ingestion points: Data enters the agent context via the JSON output of the openspec instructions command in SKILL.md (Step 4a).
  • Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used when processing the fetched content.
  • Capability inventory: The agent can execute shell commands (openspec), write files to arbitrary paths (outputPath), and interact with the user via AskUserQuestion.
  • Sanitization: There is no evidence of sanitization or validation of the fetched JSON content before it is processed by the LLM.
  • [COMMAND_EXECUTION]: The skill uses the agent to execute multiple shell commands (openspec new, openspec status, openspec instructions). While these appear to be the primary intended functionality of the skill, the agent is instructed to write files to an outputPath provided dynamically by the tool. If the tool provides a malicious path (e.g., outside the project directory), it could lead to unauthorized file modification.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 26, 2026, 03:09 AM