qcsd-production-swarm
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions (SKILL.md) and fallback execution models frequently reference the use of
npx @claude-flow/cli@latest. This command downloads an external package from the npm registry at runtime. - [REMOTE_CODE_EXECUTION]: The use of
npxto fetch and run@claude-flow/cli@latestconstitutes remote code execution from an untrusted source, as the package provider is not a known trusted vendor or well-known service. - [COMMAND_EXECUTION]: The skill explicitly instructs the agent to execute shell commands (e.g.,
npx,memory search,swarm init) to coordinate the swarm and persist data. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it processes untrusted production telemetry and incident reports and interpolates them into agent prompts without sufficient sanitization or robust boundary enforcement.
- Ingestion points: Production telemetry data is ingested from the
TELEMETRY_DATAparameter and local files likedocs/telemetry/production/latest.json(PHASE 0.5). - Boundary markers: Prompts use markers like
=== DORA METRICS DATA START ===but lack instructions to ignore nested commands or overrides within the data. - Capability inventory: Subagents are granted capabilities to write files (
Writetool), execute code/tasks (Task()), and interact with MCP/CLI tools. - Sanitization: No evidence of input validation or escaping for the telemetry data before interpolation into prompts.
Recommendations
- AI detected serious security threats
Audit Metadata