subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by interpolating untrusted data into instructions for subagents.
- Ingestion points: The
implementer-prompt.mdandspec-reviewer-prompt.mdfiles use placeholders to inject theFULL TEXTof tasks from external plan files (e.g.,docs/plans/feature-plan.md) directly into the agent's context. - Boundary markers: While the templates use Markdown headers (e.g.,
## Task Description) to separate the injected text, they lack explicit delimiters or instructions to ignore embedded commands, which may allow malicious content in the plan to override the subagent's primary instructions. - Capability inventory: The implementer subagent is explicitly tasked with writing code, running tests, and committing changes. This high-privilege execution environment makes the lack of injection safeguards a concern if the input plan is attacker-controlled.
- Sanitization: There is no evidence of sanitization, validation, or filtering of the task content before it is processed by the subagents.
Audit Metadata