subagent-orchestration
Pass
Audited by Gen Agent Trust Hub on Jun 25, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill serves as a procedural framework for managing sub-agents such as 'security-auditor' and 'testing-engineer'. It defines clear triggers for when to invoke these agents based on the nature of code changes.
- [SAFE]: Includes security-positive instructions that mandate a vulnerability assessment by the 'security-auditor' whenever changes affect sensitive areas like token handling, access control, or cryptographic operations.
- [SAFE]: Integration with project management tools (Jira) and knowledge graphs is performed through designated sub-agents ('project-tracker', 'context-keeper') as part of the vendor's intended functionality for tracking progress and architectural decisions.
- [SAFE]: Indirect Prompt Injection Surface: The skill defines an attack surface where untrusted data (source code in
[files]) is ingested into sub-agent prompts. While ingestion points and write capabilities exist (e.g., the 'testing-engineer' writes files), this is an inherent aspect of coding assistant workflows and the skill does not introduce any specific vulnerabilities or bypasses. No boundary markers or sanitization logic are defined in this orchestration layer, which is typical for such instruction sets.
Audit Metadata