super-swarm
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it parses external markdown plan files and interpolates their contents into subagent prompts without sufficient validation or structural boundary markers.
- Ingestion points: Markdown plan files (e.g.,
plan.md) parsed in Step 2 ofSKILL.md. - Boundary markers: No structural delimiters or explicit 'ignore embedded instructions' warnings are used when injecting plan content (such as
[relevant overview]and[Full description]) into the subagent prompt template. However, the subagent instructions include a rule to 'stop and report' if a path not listed in the context pack is needed, which serves as a partial behavioral boundary. - Capability inventory: The orchestrator and its subagents possess capabilities to read and write files, stage git commits, and execute shell commands (e.g., 'run tests and fix failures' in Step 6).
- Sanitization: No sanitization or filtering logic is present to evaluate the safety of the content extracted from the plan files before it is processed by the agents.
- [COMMAND_EXECUTION]: The skill is designed to perform automated code modifications ('integration fixes') and execute shell commands ('run tests') based on criteria and validation steps defined in the external plan files. This allows instructions within a plan file to trigger command execution on the host environment.
Audit Metadata