subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (LOW): The templates facilitate the interpolation of untrusted external content into agent prompts, which could be used to influence agent behavior.
- Ingestion points:
implementer-prompt.md(Task Description),spec-reviewer-prompt.md(Task Requirements, Implementer Report), andcode-quality-reviewer-prompt.md(Implementer Report). - Boundary markers: Absent. The templates use placeholders like
[FULL TEXT of task requirements]without markdown code blocks or XML tags to isolate external content from the instructions. - Capability inventory: The sub-agents described are expected to read/write code and execute tests, which are high-privilege capabilities if an injection occurs.
- Sanitization: None provided in the templates.
- Mitigation: The
spec-reviewer-prompt.mdcontains a security-positive instruction ('CRITICAL: Do Not Trust the Report') that explicitly tells the agent to verify claims by reading code rather than trusting potentially malicious/inaccurate reports.
Audit Metadata