subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests implementation plans and task metadata from external sources (e.g., plan files in
docs/superpowers/plans/and task descriptions viaTaskGet). Malicious instructions embedded within these plans could attempt to override the subagents' behavior.\n - Ingestion points: Plan files (
.md), task descriptions, andjson:metadatacode fences within tasks.\n - Boundary markers: Uses markdown headers (e.g.,
## Task Description) and JSON structures to delineate data, but these do not provide robust security isolation against adversarial content.\n - Capability inventory: The subagents can modify the filesystem, commit to git, and execute shell commands.\n
- Sanitization: The skill lacks explicit sanitization or validation logic for the content of the plans it processes.\n- [COMMAND_EXECUTION]: The implementer subagent is instructed to execute a
verifyCommandprovided in the task metadata. This allows for the execution of arbitrary shell commands. While this is a functional requirement for automated testing (TDD), it poses a security risk if the verification command is sourced from an untrusted or compromised implementation plan.
Audit Metadata