swarm-team-lead
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill establishes a workflow vulnerable to indirect prompt injection.
- Ingestion points: The agent is instructed to monitor an inbox (/claude-swarm:swarm-inbox) containing messages from teammates and join requests from external agents, representing untrusted data sources.
- Boundary markers: The instructions lack guidance on using delimiters or ignoring potential instructions embedded within these messages.
- Capability inventory: The agent has extensive capabilities, including spawning new agents (/claude-swarm:swarm-spawn), broadcasting instructions to a team, and injecting text directly into other agents' terminal sessions (/claude-swarm:swarm-send-text).
- Sanitization: No content validation or sanitization steps are defined for handling the incoming agent messages before they are processed by the lead agent.
- [COMMAND_EXECUTION]: The skill documentation encourages the use of various framework-specific command-line tools for orchestration. Notably, it includes the ability to send control characters like carriage returns (\r) to other agents' terminals, which could be exploited if an attacker-controlled agent sends a malicious message to the team lead.
Audit Metadata