parallel-task
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes task instructions from external markdown files provided at runtime. This creates a surface for indirect prompt injection; if an attacker can influence the content of the plan file (e.g., through a malicious pull request or shared documentation), they could embed instructions that override the agent's behavior.
- Ingestion points: plan.md files specified in the
/parallel-taskcommand. - Boundary markers: The subagent prompt uses some headers but lacks strong delimiters to distinguish between the system template and potentially malicious content within the plan's description or acceptance criteria.
- Capability inventory: Subagents have permissions to read files, edit files, and commit changes to the repository.
- Sanitization: There is no evidence of sanitization or validation of the plan file's content before it is passed to subagents.
- [COMMAND_EXECUTION]: Subagents are explicitly instructed to "Run validation if feasible." This typically involves executing test suites or scripts defined within the project or the plan itself. If the plan file is untrusted, this capability could be exploited to run arbitrary code on the system.
Audit Metadata