subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill defines a protocol where a controller agent processes output from untrusted subagent sessions.
- Ingestion points: The controller reads implementation reports (SKILL.md lines 43-48) and diffs (SKILL.md lines 70, 74) from subagents.
- Boundary markers: There are no explicit instructions for the controller to use delimiters or ignore instructions embedded within the subagent's report or code changes.
- Capability inventory: The workflow requires the controller to execute git commands, manage state, and potentially run implementation/test commands provided by the subagent.
- Sanitization: The skill lacks any requirement to sanitize or validate the 'Commands run' field before the controller agent processes it.
- [Command Execution] (MEDIUM): The process mandates the use of copy-pasteable commands from subagent reports.
- Evidence: 'Report must include... Commands run (exact, copy-pasteable)' (SKILL.md line 45).
- Risk: This establishes a high-privilege capability where the controller agent is encouraged to execute strings generated by a subagent, which could be manipulated to execute malicious shell commands if the subagent is compromised by the code it is implementing.
Recommendations
- AI detected serious security threats
Audit Metadata