subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by design as it ingests and processes external implementation plans.\n
- Ingestion points: The primary workflow in
SKILL.md(Step 1) involves reading an implementation plan and extracting tasks, which are then used as instructions for subagents.\n - Boundary markers: Templates such as
implementer-prompt.mdandspec-reviewer-prompt.mduse simple placeholders (e.g.,[PASTE FULL TASK TEXT]) for data interpolation, which lack robust delimiters or specific instructions to the subagent to ignore embedded commands.\n - Capability inventory: The subagents are granted capabilities to modify the file system and run "verification checks" (typically command execution) based on the input tasks.\n
- Sanitization: There is no evidence of sanitization, filtering, or validation of the task content before it is passed to the implementation subagent.
Audit Metadata