agent-worker-specialist
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection via its shared coordination memory. \n
- Ingestion points: The skill retrieves state from 'swarm$shared$dependencies' and implicitly receives tasks from a 'queen$coordinator' via the coordination namespace. \n
- Boundary markers: Absent; the skill treats all retrieved JSON data as trusted state. \n
- Capability inventory: High-privilege capabilities including file modification, code implementation, and test execution. \n
- Sanitization: Absent; there is no validation of retrieved data before it influences agent actions. \n- DATA_EXFILTRATION (MEDIUM): The worker constantly broadcasts sensitive internal metadata. Evidence: The protocol shows the agent storing detailed logs, including 'files_modified', 'findings', and 'deliverables', into a shared 'coordination' namespace, which risks exposing system internals to unauthorized agents or observers. \n- COMMAND_EXECUTION (MEDIUM): Instructions define workflows for executing code and running tests based on external state. Evidence: The 'Testing Worker' and 'Code Implementation Worker' roles describe performing side-effect-heavy operations driven by the data found in the shared memory space.
Recommendations
- AI detected serious security threats
Audit Metadata