subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: The 'Setup' phase reads an external plan file, and the 'Per Task Loop' ingests 'full task text + context'.
- Capability inventory: The implementer subagent is explicitly authorized to run commands, execute tests, and commit code ('implements, tests, commits').
- Boundary markers: No explicit delimiters (e.g., XML tags or markdown blocks) or 'ignore embedded instructions' warnings are mandated for the untrusted plan data.
- Sanitization: There is no mention of validating or escaping the task text before it is passed to the subagent dispatchers.
- COMMAND_EXECUTION (MEDIUM): The skill workflow relies on the execution of dynamically generated commands.
- Evidence: The 'Task Contract' requires reports to include 'Commands run (exact, copy-pasteable)', which are then intended to be part of the verification process. This creates a loop where the agent is encouraged to run arbitrary code generated during the implementation phase (Category 10).
- EXTERNAL_DOWNLOADS (LOW): The skill references multiple local templates and external skills (e.g.,
writing-plans,test-driven-development). While these are standard dependencies in this ecosystem, they represent an external dependency chain that must be verified for the overall system to be secure.
Recommendations
- AI detected serious security threats
Audit Metadata