subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (LOW): The skill is susceptible to indirect prompt injection because it ingests untrusted data from implementation plans.
- Ingestion points: Task descriptions and plan context are read from external files (e.g.,
docs/plans/feature-plan.md) and interpolated into theimplementer-prompt.mdandspec-reviewer-prompt.mdtemplates. - Boundary markers: The templates use Markdown headers like
## Task Descriptionand## Contextto separate instructions from data; however, they do not include explicit instructions for the subagent to ignore embedded commands within that data. - Capability inventory: The subagents are granted capabilities to modify the file system (implement), execute arbitrary code (run tests), and perform git operations (commit).
- Sanitization: No sanitization, escaping, or schema validation is performed on the plan content before it is processed by the subagents.
Audit Metadata