100Critical
This skill is highly vulnerable to arbitrary code execution
Behavior Analysis
Description verified — behavior matches claim
Claims to do
Subagent-Driven Development: Execute plan by dispatching fresh subagent per task, with two-stage review after each: spec compliance review first, then code quality review.
Actually does
This skill orchestrates a multi-agent development workflow. It reads a development plan, extracts tasks, and for each task, dispatches an 'implementer' subagent (using `./implementer-prompt.md`). It then dispatches a 'spec reviewer' subagent (using `./spec-reviewer-prompt.md`) and a 'code quality reviewer' subagent (using `./code-quality-reviewer-prompt.md`), looping for fixes as needed. It interacts with a `TodoWrite` system to track task completion and integrates with other 'superpowers' skills like `using-git-worktrees` and `finishing-a-development-branch`.
Skill Info
Nameobra/superpowers/subagent-driven-development
Registrygithub
Versiona569527b89c1
PURLpkg:github/obra/superpowers@a569527b89c1?skill=subagent-driven-development
Stars180,084
Installs60,600
Source
SHA-256081ad3869e55...
SHA-12ea2f0b09ac8...
MD5543afab876dc...
TLSHd742a8777993...
ssdeep192:FF5kSUXU...
Size12,139 bytes
Install
This skill has been flagged as potentially malicious. Review the findings below before installing.
GitHub
https://github.com/obra/superpowers/tree/main/skills/subagent-driven-development60,600 installs
Claude CodeDocs
/plugin marketplace add obra/superpowers/plugin install subagent-driven-development@obra/superpowers
CodexDocs
Gemini CLIDocs
gemini extensions install https://github.com/obra/superpowers.git --consent
CursorDocs
Skills.shDocs
npx skills add https://github.com/obra/superpowersAssessments (4)
AI Agent Traps ↗Sub-agent spawning with external prompt filescriticalsub agent spawning
The skill dispatches subagents using external prompt files (e.g., Markdown files). If these files are compromised or attacker-controlled, the spawned subagents will execute attacker-defined instructions, leading to full system compromise.
100% confidenceline 55
./implementer-prompt.md, ./spec-reviewer-prompt.md, ./code-quality-reviewer-prompt.md
Subagent code generation and execution capabilitieshighcommand execution
Implementer subagents are tasked with generating, testing, and committing code, including using git worktrees. This capability, if exploited by a malicious subagent, could lead to arbitrary code execution, data exfiltration, or unauthorized system modifications.
90% confidenceline 64
Implementer subagent implements, tests, commits, self-reviews; superpowers:using-git-worktrees; superpowers:finishing-a-development-branch
External skill dependencies introduce supply chain risklowsupply chain
The skill has multiple external dependencies on other 'superpowers:' skills. A compromise in any of these dependent skills could introduce vulnerabilities or malicious behavior into the current skill's operations.
80% confidenceline 64
Required workflow skills: superpowers:using-git-worktrees, superpowers:writing-plans, superpowers:requesting-code-review, superpowers:finishing-a-development-branch; Subagents should use: superpowers:test-driven-development.
Unbounded review loops leading to resource abusehighautonomy abuse
The skill mandates continuous review loops until approval. A malicious subagent could intentionally fail reviews, leading to unbounded retries, resource exhaustion, or human approval fatigue.
90% confidenceline 224
Review loops ensure fixes actually work; Repeat until approved; Never skip review loops; Never accept 'close enough' on spec compliance.
Human interaction for social engineeringmediumsocial engineering
The skill design includes direct interaction where subagents ask questions and humans provide context. This channel could be exploited by a malicious subagent for social engineering or to elicit sensitive information.
80% confidenceline 49
Implementer subagent asks questions?; Answer questions, provide context; If subagent asks questions: Answer clearly and completely.
RAG/Context poisoning via human inputmediumrag poisoning
The human's ability to 'Answer questions, provide context' allows for direct injection of information into the subagent's working memory, potentially poisoning its RAG or manipulating its reasoning.
70% confidenceline 217
Answer questions, provide context; Controller curates exactly what context is needed; Subagent gets complete information upfront.
Version History (4)
Dependencies (1)
superpowers.claude-plugin/marketplace.jsonnot scanned
Badge
Markdown
[](https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/subagent-driven-development)HTML
<a href="https://mondoo.com/ai-agent-security/skills/github/obra/superpowers/subagent-driven-development"><img src="https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/subagent-driven-development.svg" alt="Mondoo Skill Check" /></a>Image URL
https://mondoo.com/ai-agent-security/api/badge/github/obra/superpowers/subagent-driven-development.svgSecure your AI agents
Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.
- Continuous scanning of skills across all registries
- Policy enforcement before skills reach your agents
- Integration with your existing security workflow