swarm-coordination
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface.
- Ingestion points: The skill ingests untrusted data via
subtask_description,subtask_title, andshared_contextfields in theswarm_spawn_subtasktool. - Boundary markers: Absent. The resulting prompt from
swarm_spawn_subtaskis passed directly to theTasktool without visible delimiters or 'ignore embedded instructions' warnings. - Capability inventory: Spawned sub-agents (
swarm:worker) have access to file editing, tool execution, and potentially the same wildcard toolset. - Sanitization: No sanitization or escaping of the input variables is demonstrated before they are used to generate the worker's prompt.
- [COMMAND_EXECUTION] (LOW): Over-privileged Tool Access.
- Evidence: The skill documentation explicitly states it is configured with
tools: ["*"]. While intended for flexibility in a swarm environment, this grants the agent and its sub-agents access to every available tool in the environment, increasing the impact of a successful injection attack.
Audit Metadata