choosing-swarm-patterns
Pass
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface
- The skill utilizes a pattern where the output of one agent step is directly interpolated into the instructions for a subsequent step (e.g.,
task: 'Implement: {{steps.plan.output}}'). This creates a risk where a compromised or malicious agent could include instructions in its output that hijack the behavior of downstream agents. - Ingestion points: Workflow definitions in
SKILL.md(TypeScript and YAML examples). - Boundary markers: There is an absence of delimiters or instructions for the agent to ignore potentially malicious embedded content within the interpolated data.
- Capability inventory: Agents are configured with powerful capabilities including shell command execution (
npm test) and file system access (permissions: { access: readwrite }). - Sanitization: No sanitization or validation logic is present to filter agent outputs before they are used as prompts.
- [COMMAND_EXECUTION]: Shell Command and CLI Execution
- The skill examples demonstrate the use of a
commandfield to execute arbitrary shell commands such asnpm testandgit status --porcelain. - It also references invoking various CLI tools (e.g.,
claude,codex) as part of the agent configurations.
Audit Metadata