subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface.
- Ingestion points:
implementer-prompt.mdandspec-reviewer-prompt.mdinterpolate the full text of tasks from implementation plans. - Boundary markers: The task content is placed under markdown headers but lacks strict delimiters or escaping to prevent the subagent from interpreting embedded instructions as system commands.
- Capability inventory: The workflow involves subagents with file system access (implementation and testing) and version control access (committing) via the
general-purposetask tool. - Sanitization: No automated sanitization or validation of the plan text is performed.
- Mitigation: The architecture requires two separate review stages (specification compliance and code quality) by independent subagents before a task is considered complete, which acts as a robust defense against malicious tasks.
Audit Metadata