Swarm Orchestration
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill demonstrates a significant surface for indirect prompt injection. Evidence: (1) Ingestion points: Untrusted task descriptions are ingested via the '--task' parameter in 'task-orchestrate' and the 'goal' property in 'autoOrchestrate' (SKILL.md). (2) Boundary markers: No delimiters or isolation instructions are present to prevent the agent from obeying instructions embedded within the task data. (3) Capability inventory: The skill has high-privilege capabilities including spawning new agents ('agent-spawn') and complex task orchestration ('task-orchestrate'). (4) Sanitization: There is no evidence of input validation or sanitization of the provided task strings.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill utilizes 'npx agentic-flow' throughout its documentation. This triggers the download and execution of the 'agentic-flow' package from the npm registry, which is not a verified trusted source.
- [COMMAND_EXECUTION] (MEDIUM): The 'Quick Start' and 'Integration with Hooks' sections explicitly use shell commands to initialize swarms and spawn agents, creating a pathway for command injection if the underlying agent interprets user-controlled strings as shell arguments.
Recommendations
- AI detected serious security threats
Audit Metadata