subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes implementation plans from the filesystem and interpolates their content directly into subagent prompts, creating a surface for indirect prompt injection.
- Ingestion points: Plan files are read from paths like
conductor/tracks/{track_id}/plan.md, and task descriptions are passed to subagents inimplementer-prompt.mdandspec-reviewer-prompt.md. - Boundary markers: The templates use markdown headers (e.g.,
## Task Description) to separate content, but they do not use strict delimiters or provide specific instructions to the subagents to ignore potentially malicious commands embedded in the task text. - Capability inventory: The subagents targeted by these prompts have the ability to perform file writes (
write_file) and git operations (commit), which could be leveraged if an attacker-controlled plan file is processed. - Sanitization: There is no evidence of sanitization or validation of the plan content before it is provided to the subagents.
Audit Metadata