subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection where a malicious implementation plan could contain instructions that subagents might follow.
- Ingestion points: Untrusted data enters the agent context through the
[FULL TEXT of task from plan]placeholder inimplementer-prompt.mdand the[From implementer's report]placeholder inspec-reviewer-prompt.md. - Boundary markers: The prompt templates lack explicit delimiters (like XML tags or block quotes) or specific instructions for subagents to treat the interpolated text as data rather than instructions.
- Capability inventory: Subagents are expected to use general-purpose tools to perform file system operations, write code, and execute tests.
- Sanitization: There is no evidence of sanitization or validation of the plan text before it is interpolated into the prompts.
- [COMMAND_EXECUTION]: The skill's primary workflow involves 'Dynamic Execution' of generated code. The implementer subagent is explicitly instructed to write code and execute tests to verify its implementation. While this is the intended purpose of the skill, it creates a high-impact execution surface if the subagent is successfully compromised via indirect prompt injection.
Audit Metadata