qcsd-ideation-swarm
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to command injection in
SKILL.mdbecause it directly interpolates the user-provided${URL}variable into shell commands executed via theBashtool, specifically in the automated fetch cascade (node ./scripts/fetch-content.js "${URL}" ...) and the fallback Playwright setup scripts. This allows an attacker to execute arbitrary shell commands by providing a crafted URL containing shell metacharacters. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface in
SKILL.mdby fetching content from external URLs and passing it into the prompts of multiple sub-agents (e.g.,qe-quality-criteria-recommender,qe-risk-assessor) which possess sensitive capabilities such as file writing and tool execution. - Ingestion points: External web content is fetched via the
fetch-content.jsscript in Phase URL-1 ofSKILL.mdbased on a user-provided URL. - Boundary markers: Minimal delimiters (e.g.,
=== EPIC CONTENT START ===) are used in some sub-agent prompts, but are entirely absent in others, such as the regex-based flag detection logic in Phase URL-2. - Capability inventory: All spawned agents have access to the
Task,Bash,Write, andReadtools as defined in the swarm orchestration logic inSKILL.md. - Sanitization: No sanitization, escaping, or validation of the fetched external content is performed before it is interpolated into agent prompts.
- [EXTERNAL_DOWNLOADS]: The skill performs dynamic installation of unverified Node.js packages (
playwright-extra,puppeteer-extra-plugin-stealth,playwright) and executes external CLI tools vianpx(aqe,@claude-flow/cli) from remote registries at runtime inSKILL.md.
Recommendations
- AI detected serious security threats
Audit Metadata