subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing data from an external system (beads) while possessing significant capabilities.\n
- Ingestion points: Subagents execute
bd showandbd comments(detailed incontext-loading.mdandimplementer-prompt.md) to retrieve requirements and wave conventions directly from issue descriptions and comments.\n - Boundary markers: While prompt templates in
implementer-prompt.mduse structural headers, they do not employ unique delimiters or specific instructions to disregard embedded commands in the retrieved data.\n - Capability inventory: Agents can modify the filesystem (
Writetool), execute shell commands viagitandnpm, and manipulate issue states (detailed inbackground-execution.mdandimplementer-prompt.md).\n - Sanitization: There is no evidence of filtering or sanitizing the content retrieved from the beads system before it is incorporated into the agent's context.\n- [COMMAND_EXECUTION]: The skill relies on extensive execution of system commands and CLI tools to perform its orchestration duties.\n
- Evidence: Files such as
background-execution.md,implementer-prompt.md, andverification-and-evidence.mdspecify the use ofgitfor version control,npmfor testing and building, and thebdutility for managing the beads environment.
Audit Metadata