subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface because it processes untrusted text from implementation plans within subagent prompts.
- Ingestion points: The 'implementer-prompt.md' and 'spec-reviewer-prompt.md' templates interpolate task requirements directly into the subagent instructions.
- Boundary markers: There are no explicit delimiters or specific instructions provided to the subagents to ignore potentially malicious embedded commands within the ingested task text.
- Capability inventory: The implementer subagent is granted significant capabilities, including modifying files, writing and executing tests, and committing code changes to the repository.
- Sanitization: No sanitization, validation, or escaping of the external plan text is performed before it is presented to the subagents.
- [COMMAND_EXECUTION]: The implementer subagent is specifically instructed to 'Write tests' and 'Verify implementation works', which involves the creation and execution of code within the agent's environment. This capability, combined with the ingestion of untrusted task data, creates a vector for code-based attacks.
Audit Metadata