Skills
skills/jonmumm/skills/swarm/Gen Agent Trust Hub

swarm

Fail

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The swarm.sh script executes project-defined commands extracted from package.json (such as test, lint, and typecheck). It also performs Git operations including worktree creation, branching, and merging, which provides the agent with significant control over the local repository.
  • [REMOTE_CODE_EXECUTION]: In the run_agent function within swarm.sh, AI agents are executed using the claude and codex command-line tools with flags that bypass standard security sandboxes and permission requirements (--dangerously-skip-permissions and --dangerously-bypass-approvals-and-sandbox). This allows the agent to execute any shell command on the host without user approval.
  • [EXTERNAL_DOWNLOADS]: The skill automatically executes package manager commands (npm install, pnpm install, yarn install, or bun install) when setting up agent worktrees. This results in the download and potential execution of third-party dependencies from public registries.
  • [PROMPT_INJECTION]: The agent-prompts.md templates instruct agents to resolve conflicts and implement features using "judgment," but lack robust boundary markers or safety constraints to prevent the agent from following malicious instructions found within the code or project history.
  • [DATA_EXPOSURE]: The CRAP Agent and Mutation Agent are designed to read the entire codebase and coverage reports, which, while necessary for their function, provides the AI model with broad access to the project's source code and structure.
  • [INDIRECT_PROMPT_INJECTION]: The skill processes untrusted data from external sources.
  • Ingestion points: Tasks are pulled from Linear, GitHub, and Jira into .swarm/runs/<ts>/backlog.md.
  • Boundary markers: None identified in the prompt templates to distinguish between instructions and task data.
  • Capability inventory: Agents have the ability to write files, execute shell commands, and perform Git operations (swarm.sh and agent-prompts.md).
  • Sanitization: There is no evidence of sanitization or validation of the task descriptions pulled from external issue trackers before they are processed by the agents.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 6, 2026, 06:59 AM