qcsd-refinement-swarm
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill uses
npx @claude-flow/cli@latestin multiple phases (2, 4, 7). This command downloads and executes code from the NPM registry at runtime, which is a significant security risk if the package is compromised or malicious.\n- [COMMAND_EXECUTION]: Several CLI commands are executed to manage the swarm state, includingswarm init,agent spawn, andmemory store. These commands interact directly with the shell environment.\n- [EXTERNAL_DOWNLOADS]: The skill initiates downloads of external packages and potentially other resources via thenpxandgit clone(implied in CLI options) commands.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates untrusted user story content into agent prompts with only basic delimiters.\n - Ingestion points: User story content processed in Phases 1, 2, and 4.\n
- Boundary markers: Uses
=== STORY CONTENT START ===and=== STORY CONTENT END ===delimiters.\n - Capability inventory: The skill can write files, execute shell commands via
npx, and perform MCP memory operations.\n - Sanitization: No input validation or instruction filtering is applied to the story content before it is passed to sub-agents.
Audit Metadata