swarm

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill intentionally disables agent sandboxing/approvals and grants spawned AI agents broad shell/Git/npm capabilities (installing deps, rebasing, merging to main, editing code, persisting artifacts) while relying on weak grep-based hooks and .gitignore hiding — which creates a high-risk capability for remote code execution, covert codebase tampering/backdoor insertion, and supply‑chain or credential exfiltration.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly sources backlog items from external issue trackers (Linear, GitHub Issues, Jira) and the Feature Agent prompt instructs agents to read those remote issue pages for context (e.g., "pull tasks from Linear/GitHub/Jira" and "If the backlog links to a Linear/GitHub/Jira issue, read it for more context"), so untrusted user-generated third‑party content is fetched and interpreted and can influence agent decisions and tool use.