subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection vulnerability via plan processing. The skill dispatches subagents with full text and context extracted from plan files. \n- Ingestion points: Task text is read from
docs/plans/feature-plan.mdas described in the Example Workflow. \n- Boundary markers: Absent. The instructions specify passing "full task text + context" directly to subagents without delimiters. \n- Capability inventory: Subagents are authorized to implement code, run tests, and commit changes (write access). \n- Sanitization: None mentioned. There is no validation of the task content before dispatching agents with side-effect capabilities. \n- [COMMAND_EXECUTION] (HIGH): The workflow delegates significant authority to subagents, including executing tests and committing code. This environment can be exploited if a subagent is coerced by a malicious plan into running harmful shell commands or introducing persistence mechanisms in the codebase.
Recommendations
- AI detected serious security threats
Audit Metadata