swarm-research-pack
Warn
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a local Python script
scripts/build_research_pack.pyto process codebase artifacts. - [DATA_EXFILTRATION]: The
scripts/build_research_pack.pyscript accepts arbitrary file and directory paths as arguments and reads their content to generate previews. The script lacks path validation, allowing it to read any file accessible to the execution environment, such as configuration files, logs, or sensitive source code. It usespath.read_text()andpath.iterdir()on these unvalidated paths. Additionally, theload_profilefunction is vulnerable to path traversal, as it constructs a file path using a user-provided profile name without sanitization. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) because it ingests untrusted data from local files and incorporates it into the agent's context. 1. Ingestion points: Local files and directories provided via the
--pathargument inscripts/build_research_pack.py. 2. Boundary markers: The script outputs snippets under markdown headers but lacks explicit instructions for the agent to ignore embedded instructions. 3. Capability inventory: The skill can read local files and list directories. 4. Sanitization: No sanitization or escaping is performed on the content of the read files before inclusion in the research pack.
Audit Metadata