subagents-orchestration-guide
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements an "Autonomous Execution Mode" where authority for file modifications ("Edit"/"Write") and shell commands ("git commit" via "Bash") is delegated to subagents after a single batch approval. This reduction in human-in-the-loop oversight during the implementation phase increases the impact of potential prompt injection attacks.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface:
- Ingestion points: Untrusted data from user requirements and structured JSON responses from subagents enter the context (SKILL.md).
- Boundary markers: Absent. There are no instructions for the agent to treat subagent output or user requirements purely as data or to ignore embedded instructions.
- Capability inventory: The framework utilizes high-privilege tools including "Edit", "Write", and "Bash" (SKILL.md).
- Sanitization: Absent. No escaping or validation is specified for data passed between agents.
- [DATA_EXFILTRATION]: The orchestration logic combines file-read capabilities ("Grep", "Glob", "Read") with network-access tools ("WebSearch"). Data from local files could potentially be exfiltrated through search queries or external research tasks performed by subagents like the "requirement-analyzer".
- [COMMAND_EXECUTION]: The skill instructs the agent to use "Bash" to execute "git commit". This provides a mechanism for shell command execution that could be abused if parameters such as commit messages are derived from unsanitized external input.
Audit Metadata