superpowers-subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides a coordination framework for software development. It uses internal tool references (e.g., superpowers:code-reviewer, superpowers:using-git-worktrees) consistent with a development environment and does not attempt to access external or untrusted resources.
- [REMOTE_CODE_EXECUTION]: While the skill involves subagents writing code and executing tests, these actions are restricted to the local workspace as part of the intended development workflow. No patterns of fetching and executing arbitrary remote scripts (e.g., curl | bash) were detected.
- [DATA_EXFILTRATION]: The skill does not contain instructions to access sensitive files (such as SSH keys or cloud credentials) or perform unauthorized network requests.
- [INDIRECT_PROMPT_INJECTION]: The workflow involves interpolating external data (task descriptions from plans) into subagent prompts. While this is a potential attack surface, the skill implements a multi-role review system (Spec Reviewer and Code Quality Reviewer) that serves as a defensive architecture to validate subagent output before it is accepted.
Audit Metadata