subagent-driven-development
Pass
Audited by Gen Agent Trust Hub on Jun 22, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests implementation plans and task descriptions which are directly interpolated into subagent prompts.
- Ingestion points: Implementation plan files are read and their contents are passed to the implementer and reviewer subagents (as seen in
implementer-prompt.mdandspec-reviewer-prompt.md). - Boundary markers: Templates use markdown headers (e.g.,
## Task Description) to delimit injected content, but they lack explicit instructions to the subagent to ignore instructions embedded within the task text itself. - Capability inventory: Subagents are tasked with implementing code, writing and running tests, and committing changes to the repository, which provides a significant capability surface if a plan is malicious.
- Sanitization: There is no evidence of automated sanitization or validation of the plan content before it is interpolated into prompts.
- [COMMAND_EXECUTION]: The implementer subagent is explicitly instructed to execute shell-level operations.
- Evidence: In
implementer-prompt.md, the agent is directed to "Write tests", "Verify implementation works" (typically via a test runner), and "Commit your work". These operations involve subprocess calls and file system modifications. - [REMOTE_CODE_EXECUTION]: While the skill does not download external scripts from the internet, it facilitates the dynamic generation and execution of code (via subagents writing and testing new files). This is the intended primary purpose of the skill, and the risk is mitigated by the multi-stage review process (spec review and code quality review) defined in
SKILL.md.
Audit Metadata