subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it processes untrusted implementation plans.
- Ingestion points:
implementer-prompt.mdandspec-reviewer-prompt.mdboth instruct the user to paste the full text of tasks from external plan files directly into the prompt templates. - Boundary markers: The prompt templates lack explicit delimiters (e.g., XML tags or triple backticks) or specific 'ignore embedded instructions' warnings for the interpolated task text.
- Capability inventory: The subagents are granted significant capabilities, including the ability to implement code, write to files, run tests (subprocess execution), and commit changes to a repository.
- Sanitization: No sanitization, filtering, or validation is performed on the task descriptions before they are passed to the subagents.
- [COMMAND_EXECUTION]: The skill utilizes dynamic execution patterns (Category 10) as part of its core functionality.
- The
implementer-prompt.mdtemplate directs subagents to write source code and execute tests. While this is the intended purpose of the skill, the lack of isolation from injected instructions in the task description increases the risk of executing unintended or malicious commands.
Audit Metadata