subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): The skill possesses an attack surface for Indirect Prompt Injection (Category 8) through the ingestion of external task text from implementation plans.\n
- Ingestion points: Both
implementer-prompt.mdandspec-reviewer-prompt.mdinterpolate "FULL TEXT of task from plan" directly into the subagent's prompt context.\n - Boundary markers: Absent; the templates lack explicit delimiters to define the scope of untrusted data versus agent instructions.\n
- Capability inventory: The implementer subagent has permissions to modify files, execute code for testing, and commit to version control via git.\n
- Sanitization: There is no evidence of sanitization or safety-focused filtering of the plan content before it is processed by the subagents.
Audit Metadata