subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface due to the interpolation of external data into subagent prompts.\n
- Ingestion points: Task descriptions from implementation plans are directly inserted into
implementer-prompt.mdandspec-reviewer-prompt.md. Additionally, reports generated by the implementer subagent are processed by the reviewer subagent.\n - Boundary markers: The templates lack explicit technical delimiters (such as specific XML tags or triple-backticks with ignore-instructions) or explicit safety warnings to the subagent regarding the untrusted nature of the task text.\n
- Capability inventory: Subagents are authorized to write to the file system and execute code (for testing and verification), creating a risk if malicious instructions within a task description are followed.\n
- Sanitization: No input validation, escaping, or filtering is applied to the task content or the implementer's report before they are used in subagent prompts.\n- [COMMAND_EXECUTION]: The implementer subagent is instructed to write and run tests to verify implementation work. This involves executing code in the session environment. While this is the intended primary purpose of a development-focused skill, it represents a high-impact capability that could be targeted by the identified prompt injection surface.
Audit Metadata