subagent-driven-development
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to indirect prompt injection because it ingests untrusted data from implementation plans and interpolates it into subagent prompts without sanitization.
- Evidence Chain: 1. Ingestion points: Implementation plans are loaded in references/sequential-process.md and test failures in references/parallel-investigation.md. 2. Boundary markers: Absent. The prompts lack XML-style delimiters or 'ignore' instructions for embedded task content. 3. Capability inventory: Subagents are given broad permissions to implement code, write tests, commit work, and run shell verifications. 4. Sanitization: Absent. Content from the plan file is used directly to define the subagent's task.
- COMMAND_EXECUTION (HIGH): The workflow relies on subagents performing 'verification' and 'implementation' steps based on external task descriptions, providing an execution path for arbitrary commands if a malicious plan is processed.
Recommendations
- AI detected serious security threats
Audit Metadata