choosing-swarm-patterns

Pass

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface
  • The skill utilizes a pattern where the output of one agent step is directly interpolated into the instructions for a subsequent step (e.g., task: 'Implement: {{steps.plan.output}}'). This creates a risk where a compromised or malicious agent could include instructions in its output that hijack the behavior of downstream agents.
  • Ingestion points: Workflow definitions in SKILL.md (TypeScript and YAML examples).
  • Boundary markers: There is an absence of delimiters or instructions for the agent to ignore potentially malicious embedded content within the interpolated data.
  • Capability inventory: Agents are configured with powerful capabilities including shell command execution (npm test) and file system access (permissions: { access: readwrite }).
  • Sanitization: No sanitization or validation logic is present to filter agent outputs before they are used as prompts.
  • [COMMAND_EXECUTION]: Shell Command and CLI Execution
  • The skill examples demonstrate the use of a command field to execute arbitrary shell commands such as npm test and git status --porcelain.
  • It also references invoking various CLI tools (e.g., claude, codex) as part of the agent configurations.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 19, 2026, 01:46 PM
Security Audit — agent-trust-hub — choosing-swarm-patterns