agent-coordinator-swarm-init
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill triggers the download of the 'claude-flow' package from the npm registry using 'npx' within the 'pre' and 'post' lifecycle hooks.
- Evidence: 'npx claude-flow@alpha memory store' and 'npx claude-flow@alpha memory search' in the YAML frontmatter of SKILL.md.
- Risk: The package 'claude-flow' is not from a trusted organization, and the use of the '@alpha' tag implies instability or unvetted code that could be replaced with a malicious payload.
- [REMOTE_CODE_EXECUTION] (HIGH): The use of 'npx' constitutes a 'download then execute' pattern for remote code.
- Evidence: Hook definitions in SKILL.md.
- Risk: This allows arbitrary code execution on the host machine whenever the skill is invoked.
- [COMMAND_EXECUTION] (MEDIUM): The shell hooks use subshells and direct shell command execution to perform operations.
- Evidence: '$(date +%s)' and use of '|| echo' in hooks.
- [PROMPT_INJECTION] (MEDIUM): The skill implements an 'Indirect Prompt Injection' surface (Category 8) by defining a 'MANDATORY' protocol that influences the logic of all downstream agents in the swarm.
- Ingestion points: User prompts such as 'Initialize a swarm for [task]'.
- Boundary markers: None. The skill does not use delimiters to separate user tasks from the coordination logic.
- Capability inventory: Remote package execution via npx, shell command execution, and shared memory access.
- Sanitization: None. The skill directly interpolates agent counts and topology names into status updates.
- Risk: A malicious user could provide a task description that leverages the 'MANDATORY' coordination steps to force spawned agents to leak data through the shared 'coordination' namespace.
Recommendations
- AI detected serious security threats
Audit Metadata