Is jcorrego/openspec safe?

https://github.com/openclaw/skills/tree/main/skills/jcorrego/openspec

89
SAFE

The jcorrego/openspec skill is a legitimate spec-driven development workflow tool with clean markdown-only content and no prompt injection, hidden instructions, or executable code embedded in the skill files themselves. The installation sandbox confirmed a straightforward git sparse-checkout with no unexpected network activity or filesystem changes, and all canary honeypot files remained intact. The primary residual risk is a supply chain concern: the skill instructs agents to globally install the unaudited @fission-ai/openspec npm package, which was not executed in this sandbox and could contain malicious lifecycle hooks or be subject to future compromise via unpinned @latest versioning.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 83/100 · 25%
Code Execution 86/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (7)

MEDIUM Global npm install of unaudited third-party package -10

SKILL.md instructs agents to run npm install -g @fission-ai/openspec@latest. This performs a global installation of a package from an unverified publisher. npm lifecycle hooks (preinstall, postinstall, prepare) in that package would execute arbitrary code with the agent user's full privileges at install time. The package itself was not evaluated as part of this sandbox audit — only the skill's markdown files were tested.

MEDIUM Unpinned auto-update instruction creates silent upgrade vector -7

The skill instructs openspec update after CLI upgrades. Combined with @latest in the install command, there is no version pinning. A compromised or hijacked npm package could be distributed to all agents running this skill without any version gate.

LOW Credential files accessed post-installation by unattributed process -5

Auditd PATH records at timestamps 1771926590.999–1771926591.000 (approximately 6 seconds after the skill installation completed at 1771926585) show read-only access to .env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials. All accesses are CLOSE_NOWRITE. No corresponding outbound exfiltration traffic was detected and the canary integrity check passed. These accesses are most likely the Oathe framework's post-install canary verification, but cannot be definitively attributed without process-level correlation in the available log data.

LOW Archive command uses --yes flag suppressing user confirmation -8

The agent workflow instructs openspec archive <name> --yes, which bypasses any interactive confirmation gate in the CLI. An agent could archive an incomplete or incorrect change set without surfacing a review step to the user.

LOW Broad trigger condition may activate skill in unintended contexts -7

The skill description includes 'Trigger on requests involving feature planning, spec writing, change management, or when /opsx commands are mentioned.' The inclusion of generic terms like 'feature planning' and 'change management' could cause the skill to activate during routine conversations, injecting the OpenSpec workflow framing into interactions where the user did not intend it.

INFO Installation is a clean sparse-checkout — no npm execution 0

The sandbox installation consisted solely of a git sparse-checkout clone of the openclaw/skills monorepo and a cp of the skill files. No npm install was triggered during installation. The network footprint was limited to a single TLS connection to GitHub (140.82.121.3:443).

INFO All honeypot canary files intact 0

Post-installation integrity check confirms no canary file (fake .env, fake SSH key, fake AWS credentials) was modified, deleted, or had its content appear in outbound network traffic.