swarm
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The orchestration logic described in
references/local-mode.mdis designed to execute arbitrary shell commands defined in task metadata (e.g.,validation.command). This capability allows for arbitrary code execution if the task definitions originate from an untrusted source. - [PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its architecture of ingesting external task data and passing it to sub-agents.
- Ingestion points:
scripts/ol-wave-loader.shparses JSON wave files, andreferences/local-mode.mddescribes workers receiving task descriptions from these files. - Boundary markers: Absent. The worker prompt template in
references/local-mode.mddoes not use delimiters or instructions to ignore embedded commands within the interpolated task data. - Capability inventory: The skill utilizes shell command execution via
bash, git worktree operations, and a customolCLI tool. - Sanitization: Absent. While
scripts/ol-wave-loader.shchecks for the existence of fields, it does not sanitize task IDs, titles, or descriptions for shell injection characters or malicious instructions. - [DATA_EXPOSURE] (LOW): The use of
/tmp/swarm-<id>for git worktrees inreferences/local-mode.mdmay expose repository contents to other users on the same host if permissions are not strictly managed.
Audit Metadata