delegation
Pass
Audited by Gen Agent Trust Hub on May 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes Git and package management commands (
npm install,git worktree add) to manage isolated environments for subagents. These operations are scoped to the project's worktree directory. - [EXTERNAL_DOWNLOADS]: Fetches project dependencies from official package registries (NPM) during the environment setup phase for delegated tasks.
- [PROMPT_INJECTION]: The skill ingest implementation plans and review reports which are used to generate prompts for subagents, creating a surface for indirect prompt injection.
- Ingestion points: Task details are extracted from implementation plans in
SKILL.mdand failure contexts are read from state files inreferences/fix-mode.md. - Boundary markers: Templates in
references/implementer-prompt.mdandreferences/fixer-prompt.mduse markdown headers (e.g., '## Task Description', '## Issue to Fix') to delimit untrusted content. - Capability inventory: Spawned subagents have the ability to modify files, execute tests, and perform git operations (commit/push).
- Sanitization: No explicit sanitization or escaping of the plan/review content was identified before interpolation into subagent prompts.
Audit Metadata