Back to skill

Security audit

Spec Kit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Spec Kit helper for project setup and spec-driven development, with expected project-changing behavior disclosed in the documentation.

Install this only if you want Spec Kit to automate project setup and development. Use it on a clean branch or disposable project when possible, review generated diffs and test results, and inspect commits before pushing or sharing them. Consider pinning or reviewing the GitHub source used by `uvx` if supply-chain control matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that `/speckit.build` creates files, runs tests, and commits progress to Git, but it does not clearly warn users that invoking the command may automatically modify the working tree and create commits. In an agent-driven environment, hidden write and commit side effects can cause unintended code changes, polluted history, accidental inclusion of sensitive files, or execution of repository test hooks without informed user consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.