swarm-planner
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface due to combined data ingestion and downstream capabilities.
- Ingestion points: Reads local codebase architecture and fetches external documentation via 'Context7' or web search (SKILL.md, Sections 1 & 2).
- Boundary markers: No explicit delimiters or instructions are provided to the agent to treat external documentation or codebase comments as untrusted data.
- Capability inventory: The skill writes content to the local filesystem (
<topic>-plan.md) and spawns new subagent processes with instructions that could be influenced by injected data (SKILL.md, Sections 4 & 5). - Sanitization: There is no evidence of sanitization or validation of the retrieved documentation before it is incorporated into the plan or used to prompt the subagent.
- Dynamic Execution (MEDIUM): The skill dynamically spawns subagents using templates and variables derived from the planning process. While common for swarm-based agents, this provides a mechanism for malicious instructions to propagate from untrusted data sources (documentation/code) into new agent contexts.
- External Downloads (LOW): The skill uses 'Context7' or web search to fetch documentation. While these are retrieval mechanisms rather than direct execution, they are the primary vector for indirect prompt injection findings noted above.
Recommendations
- AI detected serious security threats
Audit Metadata