subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of implementation plans.
- Ingestion points: The files
references/implementer-prompt.mdandreferences/spec-reviewer-prompt.mdingest external task text and requirements directly into subagent prompts via the[FULL TEXT of task...]placeholders. - Boundary markers: The prompt templates utilize Markdown headers (e.g.,
## Task Description) to delimit data, but they lack explicit instructions or guardrails to prevent the subagent from executing commands that might be embedded within those task descriptions. - Capability inventory: The subagents are granted capabilities to modify the file system (writing code), execute subprocesses (running tests), and perform git operations (committing work).
- Sanitization: There is no evidence of input validation, escaping, or sanitization of the interpolated plan content before it is processed by the AI models.
Audit Metadata