subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is vulnerable to Indirect Prompt Injection (Category 8). * Ingestion points: The
implementer-prompt.mdandspec-reviewer-prompt.mdtemplates interpolate untrusted content from implementation plans and subagent reports. * Boundary markers: No delimiters (such as XML tags or distinct blocks) are used to isolate untrusted task data from the subagent's system instructions, increasing the risk that embedded malicious instructions could be obeyed. * Capability inventory: The implementation subagent is granted capabilities to write code, run tests, and commit changes via a general-purpose tool, providing a direct execution path for injected payloads. * Sanitization: No validation or sanitization is performed on the plan content before it is processed. - COMMAND_EXECUTION (MEDIUM): The workflow relies on subagents executing shell commands for development tasks (testing, git) based on the processing of untrusted plan data.
Recommendations
- AI detected serious security threats
Audit Metadata