Spec-kit Coding

Security checks across static analysis, malware telemetry, and agentic risk

Overview

This Spec-Kit workflow skill is mostly disclosed and purpose-aligned, but its setup pulls many unpinned third-party skill packs from GitHub by default, which warrants review before installing.

Install only if you are comfortable letting this skill add many third-party agent instructions to its external-skills directory. Prefer running --check-only first, review the listed GitHub sources and generated MANIFEST/SOURCE files, avoid --force unless you intend to replace the downloaded skill set, and pin or vet the external skills before using this in sensitive projects.

Publisher note

Its just download deps and NOT upload anything.

SkillSpector (2)

By NVIDIA

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script’s declared purpose is Spec-Kit dependency setup, but it also downloads and installs a broad set of third-party skills from unrelated repositories. This expands the trust boundary and supply-chain exposure far beyond what users would reasonably expect from a workflow-specific setup script, increasing the risk of pulling in unsafe or compromised content.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The external auxiliary skill installation logic fetches capability packs from multiple unrelated GitHub sources without strong justification tied to the stated orchestrator role. In an agent-skill ecosystem, importing unreviewed skills can alter downstream model behavior and instructions, creating a meaningful supply-chain and prompt-injection risk.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal