subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points: Reads content from a
[plan-file]to define tasks for subagents. - Boundary markers: Uses basic templates for subagent prompts but lacks robust delimiters or 'ignore embedded instructions' warnings, allowing a malicious plan to potentially override subagent behavior.
- Capability inventory: Subagents are given the power to implement code, 'Write tests', 'Verify implementation works' (execution), and 'Commit your work'.
- Sanitization: No sanitization or validation of the plan content is performed before passing it to subagents.
- [COMMAND_EXECUTION] (MEDIUM): The workflow requires agents to execute code for testing and verification ('Verify implementation works'). If the input plan is malicious, it could lead to the execution of harmful commands during the automated test phase.
Recommendations
- AI detected serious security threats
Audit Metadata