The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an attack surface for Indirect Prompt Injection because it ingests and processes untrusted external data.
Ingestion points: The skill reads PIPELINE_ARTIFACTS, including test results, build artifacts, CI/CD configuration files, and git diffs (Phase 1, Phase 2).
Boundary markers: The prompts for core agents use delimiter markers (e.g., === TEST RESULTS START ===), which provide some separation but do not prevent an attacker from including instructions in the artifacts that could influence sub-agent behavior.
Capability inventory: The agents have significant capabilities, including the ability to write multiple reports to the local file system using the Write tool and interact with persistent memory and state via mcp__agentic-qe__memory_store and mcp__agentic-qe__memory_share calls.
Sanitization: There is no evidence of data sanitization, escaping, or validation of the ingested pipeline content before it is interpolated into the prompts for the specialized agents.
[REMOTE_CODE_EXECUTION]: The documentation for the CLI execution model recommends using unverified remote packages.
Evidence: The 'Execution Model Options' section suggests running npx @claude-flow/cli@latest. This command fetches and executes code from an unversioned package on the npm registry. Since the package is not from a trusted organization and lacks version pinning, it poses a risk of supply chain attack or execution of malicious code if the package is compromised.
[COMMAND_EXECUTION]: The skill relies on extensive command and subprocess execution for its operation.
Evidence: The swarm orchestration involves spawning up to 10 distinct sub-agents. The evaluation configuration (evals/qcsd-cicd-swarm.yaml) lists jq as a required tool, indicating that the skill or its associated scripts execute CLI-based utilities to process data.

qcsd-cicd-swarm