delegated-execution
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by reading task specifications from external plan files and passing them to subagents. \n
- Ingestion points: SKILL.md describes reading implementation plans from docs/plans/feature-plan.md and extracting task text. \n
- Boundary markers: The implementer-prompt.md uses headers like ## Task Specification to delimit content, but does not include explicit instructions to ignore embedded agent commands. \n
- Capability inventory: The builder subagents are authorized to write code, execute shell commands for testing, and commit changes via git. \n
- Sanitization: No sanitization or filtering of the task text is performed before it is interpolated into the subagent's prompt.\n- [COMMAND_EXECUTION]: The workflow involves subagents performing actions that require shell access. \n
- Evidence: The implementer-prompt.md template explicitly directs the subagent to 'Write tests', 'Verify the implementation works', and 'Commit your work', which necessitates the execution of development tools and scripts.
Audit Metadata