Security Audit
dceoy/speckit-agent-skills:skills/speckit-constitution
github.com/dceoy/speckit-agent-skillsTrust Assessment
dceoy/speckit-agent-skills:skills/speckit-constitution received a trust score of 50/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Persistent Prompt Injection via Modification of Other Agent Prompts/Skills, Broad Read/Write Access Across Repository Files, Potential Data Exfiltration via Malicious User Input and Broad Read Access.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on April 1, 2026 (commit a934d48e). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistent Prompt Injection via Modification of Other Agent Prompts/Skills The skill is designed to update various files, including other agent prompts and skill definitions (e.g., `.claude/commands/speckit.*.md`, `.codex/prompts/speckit.*.md`, `.github/prompts/speckit.*.prompt.md`, `skills/speckit-*/SKILL.md`). The workflow explicitly states that values for placeholders, including 'principles,' can be derived from user input (Step 2). If a malicious user provides crafted input for these principles, the agent could inject harmful instructions or data into these downstream prompts and skills. This could lead to persistent prompt injection, allowing an attacker to reprogram other agents or skills within the system, potentially leading to unauthorized actions, data exfiltration, or command execution by those compromised agents. 1. **Sanitize User Input:** Implement strict sanitization and validation for all user-provided principle content before it is used to update any files, especially other prompts or skill definitions. This should include filtering out any potential prompt injection keywords, markdown code blocks, or suspicious URLs. 2. **Restrict Write Access to Prompts/Skills:** Re-evaluate whether this skill *needs* to modify other agent prompts and skill definitions. If possible, restrict its write access to only the `constitution.md` file and perhaps general documentation. 3. **Human Review for Critical Changes:** For any changes affecting other prompts or skills, require a human review and approval step before the changes are committed or applied. 4. **Isolate Agent Execution:** Ensure that agents whose prompts are modified by this skill operate in a sandboxed environment with minimal permissions. | LLM | SKILL.md:44 | |
| HIGH | Broad Read/Write Access Across Repository Files The skill is granted extensive read and write access to a wide array of files across the repository, including templates, documentation, and other agent/skill definitions. While this broad access is intended for 'consistency propagation,' it significantly increases the attack surface. In combination with potential prompt injection, an attacker could leverage this access to read sensitive files (data exfiltration) or inject malicious content into critical system components beyond the primary constitution file. The ability to modify other `SKILL.md` files is particularly concerning as it allows for self-modification or modification of other skills. 1. **Principle of Least Privilege:** Restrict the skill's file system access to only the absolute minimum necessary files and directories. For example, if it only needs to update `constitution.md`, it should not have write access to other skill definitions. 2. **Granular Permissions:** If updates to other files are truly necessary, implement granular permissions or separate sub-skills for each type of file modification, allowing for more controlled access. 3. **Path Validation:** Ensure all file paths accessed by the skill are strictly validated and confined to expected directories to prevent directory traversal attacks. | Static | SKILL.md:40 | |
| MEDIUM | Potential Data Exfiltration via Malicious User Input and Broad Read Access The skill has broad read access to various files within the repository (e.g., templates, documentation, other prompts/skills). Combined with the instruction to use user input for 'principles' (Step 2) and to incorporate these into the final `constitution.md` or the 'Sync Impact Report' (which is prepended as an HTML comment), a malicious user could potentially craft an input that instructs the agent to read the content of a sensitive file and then embed that content into the output. While the skill doesn't explicitly state it will output arbitrary file content, the lack of strict sanitization on user input and the broad read/write capabilities create a credible path for data exfiltration. 1. **Strict Input Sanitization:** Implement robust sanitization and validation for all user-provided input, especially when that input is to be inserted into files or reports. Prevent the injection of markdown that could embed file contents or external links. 2. **Output Content Filtering:** Filter the content that can be included in the 'Sync Impact Report' or the final `constitution.md` to ensure no sensitive data from other files is inadvertently or maliciously included. 3. **Restrict Read Access:** As mentioned in the Excessive Permissions finding, limit the files the skill can read to only those strictly necessary for its operation. | Static | SKILL.md:21 |
Scan History
Embed Code
[](https://skillshield.io/report/72ee4c0795f02ff0)
Powered by SkillShield