subagent

================================================================================

🔴 VERDICT: HIGH

This skill set describes an agent-orchestrator workflow where a 'subagent' AI processes instructions and data from an 'orchestrator' AI and a central 'PLAN.md' file. The primary security risks arise from the inherent nature of AI agents processing external, potentially untrusted, input. The skill's 'Hard Rules' are a good defense, but sophisticated attacks could attempt to bypass them.

Total Findings: 3

🔴 HIGH Findings: • Indirect Prompt Injection

• The entire architecture relies on the subagent processing instructions and data from external sources (Orchestrator briefings, PLAN.md content). If these sources are compromised, malicious instructions could be injected into fields like 'Scope', 'Acceptance Criteria', 'Validation Steps', or 'Notes', leading the subagent to perform unintended actions or bypass its 'Hard Rules'. This is a core architectural risk. • Command Execution via Untrusted Input
• The skill explicitly instructs the subagent to run commands (e.g., curl, pytest, npm test) specified in the PLAN.md's 'Validation Steps' or 'Useful Commands' sections. If a malicious entry is injected into PLAN.md or an Orchestrator briefing, it could lead to arbitrary command execution on the subagent's environment.

🟡 MEDIUM Findings: • Unverifiable Dependencies

• The skill and related templates mention running commands like npm test, pytest, cargo test, and npm start. These commands imply the use of external package managers and dependencies. The skill set does not provide mechanisms to verify the integrity or safety of these external dependencies, posing a risk if a dependency is malicious or compromised. While no direct download commands are present in these files, the reliance on such tools introduces an external dependency risk.

================================================================================