subagent-driven-development
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The cleanup procedure in
SKILL.mdinstructs the agent to runrm -rf .claude/plans/<plan-id>/. The use of the<plan-id>template variable without explicit sanitization instructions creates a risk of directory traversal if an attacker can influence the plan identifier. - [COMMAND_EXECUTION] (MEDIUM): The
code-quality-reviewer-prompt.mdincludes anode -ecommand that dynamically requires a package:node -e \"console.log(require('<pkg>/package.json').peerDependencies)\". If the<pkg>name is sourced from untrusted project metadata, this could lead to arbitrary code execution via command or code injection. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it instructs agents to read and follow specifications from 'briefing' files.
- Ingestion points:
implementer-prompt.mdandspec-reviewer-prompt.md(reading.claude/plans/<plan-id>/briefings/task-NN.md). - Boundary markers: Absent; there are no delimiters or instructions to treat the briefing content as untrusted.
- Capability inventory: The subagents have access to tools for filesystem modification, git commits, and code execution.
- Sanitization: None; the briefing content is treated as the primary source of truth for the task implementation.
Audit Metadata