subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes potentially untrusted implementation plans (e.g., from docs/plans/*.md) and extracts task descriptions to be executed by subagents. Because these subagents have file-write and command-execution capabilities, an attacker can embed malicious instructions in a plan to gain control over the agent's actions or the local development environment. * Ingestion point: The skill reads plans and extracts all tasks with full text (SKILL.md). * Capability inventory: Implementer subagent can implement code, run tests, and commit changes (SKILL.md). * Boundary markers: Absent. * Sanitization: Absent.
- [Remote Code Execution] (MEDIUM): The 'Implementer' subagent generates and executes code/tests based on external inputs. While intended for development, this facilitates a vector for arbitrary code execution if the task source text contains malicious logic.
Recommendations
- AI detected serious security threats
Audit Metadata