subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to the way it handles untrusted plan data and code across multiple subagent templates.\n
- Ingestion points: Untrusted content enters the agent context in
implementer-prompt.md(task text interpolation) andspec-reviewer-prompt.md(task requirements and implementation code interpolation).\n - Boundary markers: The skill lacks explicit delimiters or "ignore embedded instructions" warnings when injecting external content into the subagent prompts, making it easy for an attacker to override the subagent's instructions.\n
- Capability inventory: The subagents are granted high-privilege capabilities, including file modification, test execution, and committing code to the repository.\n
- Sanitization: There is no evidence of sanitization, validation, or schema enforcement for the input plan text or the resulting implementation code before it is processed by the subagents.
Recommendations
- AI detected serious security threats
Audit Metadata