speckit-constitution
Create or update the project constitution from interactive or provided principle inputs, ensuring all dependent templates stay in sync.
58
44%
Does it follow best practices?
Impact
76%
1.61xAverage score across 3 eval scenarios
Critical
Do not install without reviewing
Optimize this skill with Tessl
npx tessl skill review --optimize ./.claude/skills/speckit-constitution/SKILL.mdSecurity
2 findings — 1 critical severity, 1 high severity. Installing this skill is not recommended: please review these findings carefully if you do intend to do so.
E006: Malicious code pattern detected in skill scripts
What this means
Detected high-risk code patterns in the skill content — including its prompts, tool definitions, and resources — such as data exfiltration, backdoors, remote code execution, credential theft, system compromise, supply chain attacks, and obfuscation techniques.
Why it was flagged
Malicious code pattern detected (high risk: 0.90). The skill mostly performs repository file reads/writes but explicitly instructs automatic execution of repository-defined "mandatory" hooks/commands (before and after the constitution update), which can enable arbitrary code execution, data exfiltration, credential theft, filesystem modification, or other backdoor behavior if a malicious hook is present.
W007: Insecure credential handling detected in skill instructions
What this means
The skill handles credentials insecurely by requiring the agent to include secret values verbatim in its generated output. This exposes credentials in the agent’s context and conversation history, creating a risk of data exfiltration.
Why it was flagged
Insecure credential handling detected (high risk: 0.90). The prompt instructs the agent to read and then echo fields from local YAML files (hook prompts/command strings) verbatim into its outputs, which could contain API keys or other secrets and thus force the LLM to expose sensitive values.
- Repository
- mixpanel/mixpanel-headless
- Commit
3ce3191
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.