subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The skill reads external implementation plans and passes the extracted text directly into subagent prompts without sanitization or boundary markers.\n
- Ingestion points: implementation plans (e.g.,
docs/plans/feature-plan.md) read by the controller.\n - Boundary markers: Absent; plan text is interpolated directly into
implementer-prompt.mdandspec-reviewer-prompt.md.\n - Capability inventory: Subagents are granted
general-purposeandcode-reviewertask tools, which enable file system modifications, shell command execution for testing, and git operations.\n - Sanitization: Absent.\n- [COMMAND_EXECUTION] (LOW): The skill's primary purpose involves executing shell commands for testing and git operations. While consistent with its stated use case, these capabilities are directly accessible to subagents processing potentially untrusted plan data.
Audit Metadata