subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a multi-agent orchestration pattern that creates an indirect prompt injection surface. This occurs when the orchestrator or reviewer agents process content generated by implementation subagents.
- Ingestion points:
SKILL.md(Phases 3 and 4) and the associated templatesspec-reviewer-prompt.mdandcode-quality-reviewer-prompt.mdingest the complete output, including notes and verification steps, from implementer agents. - Boundary markers: The prompt templates utilize standard Markdown headers to separate implementation data from instructions. However, they lack robust delimiters (such as randomized tokens or XML-style tagging) to prevent a subagent from injecting instructions intended to bypass the review gates or influence orchestrator behavior.
- Capability inventory: The orchestrator is explicitly instructed in Phase 6 to execute shell commands for project verification (linting, building, and running tests) based on the subagent's implementation.
- Sanitization: No explicit sanitization, instruction filtering, or escaping is performed on the subagent output before it is processed by subsequent reviewers or the orchestrator.
- [COMMAND_EXECUTION]: The orchestration logic defined in
SKILL.md(Phase 6) and theimplementer-prompt.mdtemplate involves the execution of developer tooling on code generated by subagents. This process includes running test suites, linters, and build commands. While necessary for software development, this presents a vector for command execution or the execution of malicious logic if an implementer agent provides compromised verification commands or code.
Audit Metadata