subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (LOW): The skill implements a workflow where implementation tasks and subagent reports are used as context for other subagents. If an implementation plan (the input) contains malicious instructions, they could be followed by the subagents because there are no strict boundaries or sanitization processes.
- Ingestion points:
implementer-prompt.md(interpolates task text from plan files),spec-reviewer-prompt.md(interpolates task text and the implementer subagent's report). - Boundary markers: The skill uses Markdown headers (e.g.,
## Task Description) to separate data from instructions, but lacks explicit "ignore embedded instructions" warnings or robust delimiters around the interpolated content. - Capability inventory: The subagents targeted by these prompts have the capability to write code to the filesystem, execute tests, and commit changes to the repository (
git commit). - Sanitization: No sanitization or validation of the input text (tasks/reports) is performed before interpolation into the subagent prompts.
Audit Metadata