subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): Indirect prompt injection via untrusted plan files. * Ingestion Point: The skill reads a plan-file in Step 1 and interpolates its tasks into subagent prompts in Step 2. * Boundary Markers: Absent. There are no delimiters (e.g., XML tags or triple quotes) or safety instructions wrapping the untrusted task data. * Capability Inventory: Subagents are granted 'general-purpose' tools to implement code, run tests, and commit changes. * Sanitization: Absent. No validation or escaping is performed on the ingested plan content.
- COMMAND_EXECUTION (MEDIUM): The skill facilitates arbitrary code execution and file system modification through its subagent orchestration. While functional, this represents a significant security risk because the core logic depends on subagents executing commands defined in an unverified external source (the plan file).
Recommendations
- AI detected serious security threats
Audit Metadata