swarm
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection via user-provided plan files. Implementation plans are parsed and their content is directly included in the prompts for subagents without sanitization or robust boundary markers.
- Ingestion points: Implementation plans (e.g.,
docs/PLAN.md) are parsed byscripts/swarm.pyto extract phase details. - Boundary markers: The prompts used to spawn subagents in
SKILL.mddo not utilize strong delimiters or explicit instructions to ignore potentially malicious content within the plan data. - Capability inventory: Spawned subagents possess significant capabilities, including bash execution and file system access within their respective worktrees.
- Sanitization: No sanitization or validation is applied to the content extracted from the plan file before it is interpolated into agent instructions.
- [COMMAND_EXECUTION]: The skill's workflow involves the execution of various shell commands and scripts associated with the project being developed.
- It executes
maketargets (build,test,worktree) and a project-defined.worktree-setup.shscript to manage environment configuration and dependency installation. - The GitHub CLI (
gh) is used to create and manage PRs and issues, with arguments derived from the parsed plan file. - [CREDENTIALS_UNSAFE]: The initialization and worktree management process involves the exposure of sensitive environment configuration.
- Initialization instructions in
references/prerequisites.mdandreferences/worktree-guide.mdspecify symlinking the main.envfile into every created git worktree. This practice provides every worker agent and process access to all project-level secrets and credentials.
Audit Metadata