Is bobbyradford/openspec-workflow safe?

https://github.com/openclaw/skills/tree/main/skills/bobbyradford/openspec-workflow

78
CAUTION

openspec-workflow is a legitimate spec-driven development workflow skill with no hidden instructions, prompt injection tricks, or canary file exfiltration. Its primary security concern is structural: the skill mandates --dangerously-skip-permissions for all downstream Claude Code subagents and orchestrates autonomous git commits, pushes, and PR creation without per-action user confirmation, creating a wide trust boundary where the skill author's workflow templates control fully-permissioned subagent behavior. Users who install this skill should understand they are granting the workflow autonomous control over their git history and GitHub repositories.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 63/100 · 5%

Findings (6)

HIGH --dangerously-skip-permissions required for all subagent invocations -35

The skill's core Step 3 and review-loop.md both specify that Claude Code must be launched with --dangerously-skip-permissions for every implementation and review task. This flag disables all permission prompts, meaning the subagent will read files, execute shell commands, write to disk, and make network requests without asking. Any malicious content in the OpenSpec task artifacts would be executed without friction.

MEDIUM Autonomous git commit, push, and PR creation without user confirmation -28

Step 4 of the workflow directs the orchestrating agent to run 'git add -A && git commit' and 'git push origin ' followed by 'gh pr create' as a single uninterrupted sequence. There is no user confirmation step between implementation completion and remote code publication. A user invoking this skill on an active repo could have code committed and a PR opened against their main branch without review.

MEDIUM Persistent CI/CD automation installs on user repos via archive-action.md -20

The skill offers to install a GitHub Actions workflow (archive-action.md) that permanently automates branch deletion and archive PR creation for every future merged PR containing an 'OpenSpec change: ' tag. This side-effect persists indefinitely after the skill is dismissed and affects the repository's CI/CD pipeline for all future contributors.

MEDIUM Skill-controlled prompt templates injected into subagent system prompts -15

review-loop.md contains verbatim prompt templates that the orchestrating agent is instructed to embed into spawned subagent (-p) invocations. The skill author controls the framing, role assignment ('You are a skeptical spec reviewer'), and task boundaries given to the review subagent, which has full codebase read access. This creates a vector where future skill updates could alter subagent behavior.

LOW Dependency on external npm package @fission-ai/openspec -10

The skill requires 'npm install -g @fission-ai/openspec' as a prerequisite. This package is published by the skill author's organization. A compromised or updated version of this package could introduce malicious behavior that the skill would then invoke with elevated trust throughout the workflow.

INFO Simultaneous access to all honeypot credential files post-install -5

Auditd PATH records show .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json accessed at the same timestamp (1771918113.376) after skill installation. Pattern is consistent with Oathe's periodic canary scan (same file set as pre-install scan at audit seq 415-423). Canary integrity check confirms files are intact and no exfiltration traffic was detected.