code-subagents
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection because it ingests and processes untrusted data from external sources during the subagent dispatch and review process.\n
- Ingestion points: Task descriptions from
plan.json, architectural decisions fromspec.md, and implementation reports generated by subagents (referenced inSKILL.mdand templates).\n - Boundary markers: The templates in
references/use markdown headers and placeholders (e.g.,## Task Description,{FULL TEXT ...}) to delimit external content, which provides some structural separation but does not prevent malicious instructions within that content from influencing the agent.\n - Capability inventory: The skill facilitates file reading/writing (via the implementation tasks) and utilizes task management tools (e.g., the
bdcommand mentioned inSKILL.mdfor closing tasks).\n - Sanitization: There is no explicit evidence of sanitization, escaping, or validation of the external text before it is interpolated into the reviewer and implementer prompts.
Audit Metadata