subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill architecture involves interpolating untrusted data from implementation plans directly into subagent instructions, creating a vulnerability to indirect prompt injection.
- Ingestion points: Found in
implementer-prompt.md(task text) andspec-reviewer-prompt.md(requirements text) where data from external plans is directly inserted. - Boundary markers: While Markdown headers are used for organization, the templates lack explicit instructions or robust delimiters to prevent subagents from obeying commands embedded within the plan data.
- Capability inventory: Implementer subagents are granted general-purpose tool access, which typically includes filesystem operations and shell execution, to carry out their assigned tasks.
- Sanitization: There is no evidence that the plan content is validated, sanitized, or escaped before being included in the subagent's execution context.
Audit Metadata