subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill exhibits a significant Indirect Prompt Injection (Category 8) vulnerability surface.
- Ingestion points: The skill reads implementation plans from files (e.g.,
docs/plans/feature-plan.md) and interpolates the full text into the implementer subagent's prompt inimplementer-prompt.md. - Boundary markers: Missing. It uses standard Markdown headers which do not provide a security boundary against adversarial content in the plan.
- Capability inventory: The subagents are granted broad capabilities including code implementation, test execution, and committing changes.
- Sanitization: None. External content is interpolated directly. This allows a malicious plan to override subagent behavior and perform unauthorized file modifications or command execution.
Recommendations
- AI detected serious security threats
Audit Metadata