antigravity-swarm
Fail
Audited by Gen Agent Trust Hub on Feb 13, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The
scripts/dispatch_agent.pyfile implements a shim layer that parses agent output for<<RUN_COMMAND>>tags and executes the contents directly usingsubprocess.run(command, shell=True). This allows any agent (or injected instructions) to execute arbitrary shell commands on the host system. - [COMMAND_EXECUTION] (CRITICAL): The
scripts/compactor.pyscript takes log files (progress.md,findings.md), which are populated by agents, and sends them to an LLM to be 'compacted.' The resulting summary is then written back to the file system. If an attacker injects malicious tags into the logs, they can trigger command execution when the compactor processes them or when subsequent agents read the corrupted logs. - [PROMPT_INJECTION] (HIGH): The system is designed to process 'Missions' and 'Tasks' provided by users or external sources. The
dispatch_agent.pyscript prepends a system instruction to the task but does not use adequate boundary markers to prevent the task content from overriding the shim instructions. - [DATA_EXFILTRATION] (HIGH): Because agents have the ability to run arbitrary shell commands (
curl,wget) and read any file the user has access to, there is a high risk that sensitive data (like~/.gemini/configs or environment variables) could be exfiltrated to an attacker-controlled endpoint. - [DATA_EXFILTRATION] (MEDIUM): The
scripts/dispatch_agent.pyscript supports a--log-fileargument that writes agent outputs (including potentially sensitive data processed during a mission) to a file path that could be redirected to a public-facing directory.
Recommendations
- AI detected serious security threats
Audit Metadata