subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a vulnerability surface for indirect prompt injection through its subagent orchestration workflow.\n
- Ingestion points: Task requirements from external implementation plans (e.g., docs/superpowers/plans/feature-plan.md) are directly interpolated into the implementer and reviewer subagent prompts.\n
- Boundary markers: The provided templates (implementer-prompt.md and spec-reviewer-prompt.md) lack explicit structural delimiters or 'ignore embedded instructions' directives to isolate the untrusted task text from the agent's core logic.\n
- Capability inventory: Implementer subagents are granted general-purpose tool access allowing them to modify the filesystem, write executable code, and run tests, which could be exploited if malicious instructions are embedded in the plan.\n
- Sanitization: There is no evidence of escaping, validation, or filtering of the content extracted from the plan files before it enters the agent context.\n
- Mitigation: The architecture's two-stage review process (spec compliance and code quality) serves as a robust defense-in-depth, as reviewers are explicitly instructed to verify implementation by reading code rather than trusting report summaries.
Audit Metadata