sparc-methodology
Pass
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references and utilizes the claude-flow package hosted on NPM and GitHub. These resources are maintained by the skill author (ruvnet).
- [COMMAND_EXECUTION]: The methodology instructions direct the agent to execute tasks using npx claude-flow and various MCP tool calls for orchestration, code generation, and testing.
- [PROMPT_INJECTION]: The skill includes a researcher mode that ingests untrusted data from the web (WebSearch/WebFetch). This data is processed alongside capabilities such as code execution (tdd mode) and file modification (coder mode), creating a surface for indirect prompt injection.
- Ingestion points: researcher mode via WebSearch and WebFetch MCP tools.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are specified for processing external research data.
- Capability inventory: coder (batch file operations), tdd (test suite execution), orchestrator (agent spawning), and batch-executor (concurrent operations).
- Sanitization: No sanitization or validation of the ingested web content is described before use in downstream development tasks.
Audit Metadata