qcsd-development-swarm
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: Phase 7 (Learning Persistence) of SKILL.md defines a fallback mechanism using 'npx @claude-flow/cli@latest memory store'. The 'npx' command downloads and executes arbitrary code from the public NPM registry at runtime. The package '@claude-flow/cli' does not originate from a trusted organization or well-known service provided in the safety guidelines, posing a high supply chain risk.
- [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection due to how it handles untrusted input.
- Ingestion points: SKILL.md (Phases 2, 4, and 8) reads source code from the user-specified 'SOURCE_PATH' and pastes it directly into the prompt body of multiple sub-agents (e.g., qe-tdd-specialist, qe-security-scanner, qe-defect-predictor).
- Boundary markers: Absent; the code is enclosed in simple 'SOURCE CODE START/END' tags without specific instructions for the agent to ignore or neutralize embedded directives (such as malicious comments).
- Capability inventory: The sub-agents have access to powerful capabilities including the 'Task' tool for spawning further agents and the 'Write' tool for modifying the local file system.
- Sanitization: No input validation, escaping, or sanitization is performed on the ingested source code before it is processed by the LLM.
- [COMMAND_EXECUTION]: The skill relies on external system utilities such as 'jq', as indicated in scripts/validate-config.json and evals/qcsd-development-swarm.yaml. It also exposes a CLI execution model which orchestrates the swarm via shell commands, increasing the attack surface for command injection if configuration values are not strictly validated.
Recommendations
- AI detected serious security threats
Audit Metadata