dev-swarm-headless-ai-agents
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill provides explicit instructions and command-line flags (
--dangerously-skip-permissions,--yolo,--ask-for-approval never) designed to bypass the safety and permission guardrails of AI agents. - [COMMAND_EXECUTION]: The documentation encourages the execution of AI agents in a mode that automatically approves all system actions, including file writes and shell command execution, without user intervention.
- [REMOTE_CODE_EXECUTION]: The Python code examples provided in the reference files use the
subprocessmodule to execute system commands with unsanitized user-provided prompts, presenting a potential command injection surface if integrated into other applications. - [PROMPT_INJECTION]: The skill demonstrates a vulnerability surface for indirect prompt injection (Category 8).
- Ingestion points: The skill instructs users to pipe local files (e.g.,
cat main.py) and version control data (e.g.,git diff) directly into AI agents. - Boundary markers: No delimiters or protective instructions are used to separate untrusted data from the agent's instructions.
- Capability inventory: Agents are executed with flags that permit automated file writes and command execution without confirmation.
- Sanitization: No sanitization or validation of the ingested data is recommended before processing.
Audit Metadata