swarm

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content presents high-risk, intentional bypasses of LLM safeguards and full filesystem/git control for autonomous agents (dangerous CLI flags, automatic rebase/merge-to-main, dependency installs, and hiding .swarm in .gitignore), which enable remote code execution, repository modification without human oversight, supply-chain abuse, and easy exfiltration of repository data to remote LLM services — even though there is no explicit obfuscated payload or hard-coded exfiltration endpoint, the design deliberately grants capabilities that can be abused as a backdoor.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly instructs pulling backlog tasks from public sources (Linear/GitHub/Jira) and the Feature Agent prompt tells agents to read linked GitHub/Linear/Jira issues for deeper context (see SKILL.md Phase 1 Backlog and references/agent-prompts.md — Feature Agent step 4), so untrusted, user-generated third‑party content is read and can influence agent decisions and actions.