subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill's core workflow depends on extracting 'FULL TEXT' from plan files and inserting it into subagent prompts. \n
- Ingestion points:
implementer-prompt.md(line 12) andspec-reviewer-prompt.md(line 12) ingest untrusted task descriptions. \n - Boundary markers: The templates use standard Markdown headers as delimiters, which can be easily bypassed by content containing similar headers. \n
- Capability inventory: The implementer subagent has broad capabilities including file modification (
commit your work), and code execution (Verify implementation works/ running tests). \n - Sanitization: There is no evidence of sanitization, escaping, or validation of the task text before it is presented to the subagent.\n- Remote Code Execution (HIGH): By delegating 'implementation' and 'verification' (testing) to a subagent based on instructions sourced from external plan files, the skill creates a path for Remote Code Execution. An attacker-controlled plan can define malicious logic that is then executed during the test phase of the implementation subagent.
Recommendations
- AI detected serious security threats
Audit Metadata