subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Detected vulnerability to Indirect Prompt Injection (Category 8) where instructions from a plan file could influence subagent behavior.\n
- Ingestion points: Implementation tasks are read from external files (e.g.,
docs/plans/feature-plan.md) and passed into theimplementer-prompt.mdtemplate.\n - Boundary markers: Absent; the prompt template does not use delimiters to isolate task text from the subagent's instructions.\n
- Capability inventory: The subagents possess capabilities to modify the filesystem, execute tests, and commit code to the repository via the
general-purposeandcode-reviewertools.\n - Sanitization: No sanitization or escaping of external task text is performed before it is included in the subagent prompt.\n- [SAFE] (SAFE): No indicators of malicious intent, hardcoded credentials, or data exfiltration were found. The skill's structure—specifically the use of a secondary 'Spec Compliance' reviewer instructed not to trust the implementer's report—is a security best practice for autonomous development workflows.
Audit Metadata