build
Warn
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses the
Agenttool andTeamCreateto spawn 'general-purpose' subagents (often using the Opus model) that are authorized to implement code, create stubs, and run test suites. This creates a delegated execution chain where the lead agent manages multiple sub-processes with command execution privileges across the pipeline. - [PROMPT_INJECTION]: The pipeline has a significant surface for indirect prompt injection. Multiple templates, such as
acceptance-test-writer-prompt.mdandplan-writer-prompt.md, ingest the 'FULL TEXT' of design documents and implementation plans directly into subagent prompts. - Ingestion points: Design documents (Phase 1), Implementation Plans (Phase 2), and Git diffs (Phase 3) are used as direct inputs for subagents.
- Boundary markers: Explicit delimiters or 'ignore instructions' warnings are absent in the prompt templates when interpolating external text.
- Capability inventory: Subagents are assigned the 'general-purpose' type, providing them with tool access for file system modification and command execution.
- Sanitization: No escaping or validation of external content is performed before interpolation into subagent prompts.
- [COMMAND_EXECUTION]: The skill performs extensive file system and git operations. Notably, the 'Cleanup Agent' (
cleanup-prompt.md) is empowered to autonomously delete code and tests based on its own analysis of the codebase. The orchestrator also writes session metrics and decision logs to the/tmpdirectory.
Audit Metadata