swarm-coordination
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it facilitates the spawning of sub-agents using untrusted data fields.
- Ingestion points: Data from
subtask_description,shared_context, andsubtask_titlein theswarm_spawn_subtaskcall is directly used to generate prompts for new agents. - Boundary markers: The provided documentation and code snippets do not show any use of delimiters (e.g., XML tags or triple quotes) or 'ignore' instructions to prevent the sub-agent from following instructions embedded within the task descriptions.
- Capability inventory: The agents spawned have significant capabilities, including file system access (implied by
filesandswarmmail_reserve) and execution of arbitrary tasks via theTasktool. - Sanitization: No sanitization or validation of the input strings is mentioned before they are parsed and passed to
Task. - COMMAND_EXECUTION (LOW): The skill documentation explicitly mentions the use of
tools: ["*"]. This wildcard configuration grants the agent access to all available tools in the environment. While stated as a user choice, this high-privilege state significantly expands the impact of any potential prompt injection attack.
Audit Metadata