swarm-coding-skill
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Data Exposure & Credentials (HIGH): The skill reads from a .env file in the workspace root to retrieve the OPENROUTER_API_KEY. Accessing .env files programmatically is a high-risk practice as these files often contain unrelated sensitive credentials that could be exposed if the skill's logic is compromised.
- Unverifiable Logic (MEDIUM): The primary execution script, orchestrator.js, is referenced in the package configuration but not included in the provided file list. Without this source code, it is impossible to verify how the skill manages the API key, sanitizes user inputs, or interacts with the host file system.
- Indirect Prompt Injection (LOW): The skill processes untrusted user prompts to drive autonomous code generation. 1. Ingestion points: User-provided natural language prompts in orchestrator.js. 2. Boundary markers: No specific delimiters or instructions to ignore embedded commands are mentioned. 3. Capability inventory: The skill has file system write access (outputPaths) and performs network requests to the OpenRouter API. 4. Sanitization: No input sanitization or output validation for generated code is described beyond a retry mechanism.
- Privilege/Path Traversal (MEDIUM): The skill is configured to write output to directories outside its own installation path, specifically ../swarm-projects/ and ../.learnings/. This behavior requires the agent to have broad write permissions and could potentially lead to the overwriting of unrelated files in the parent workspace.
Audit Metadata