subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by design, as it interpolates external, potentially attacker-controlled task descriptions into subagent prompts.
- Ingestion points: Task text is extracted from plan files (e.g., docs/plans/feature-plan.md mentioned in SKILL.md) and inserted into the prompts defined in implementer-prompt.md and spec-reviewer-prompt.md.
- Boundary markers: The skill uses simple markdown headers (e.g., '## Task Description') to separate data from instructions, which is insufficient to prevent an adversary from escaping the data context and providing new instructions.
- Capability inventory: Subagents dispatched by this skill are intended to have write access to the filesystem, the ability to execute tests (command execution), and the ability to perform git commits.
- Sanitization: There is no evidence of sanitization, validation, or escaping of the task content before it is processed by the subagents.
Audit Metadata