swarm
Pass
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface because it reads and acts upon instructions stored in local files such as implementation plans and task lists.
- Ingestion points: The orchestrator reads data from
docs/plans/{feature-name}.mdanddocs/tasks/{feature-name}-phase-*.mdto configure worker agents. - Boundary markers: No explicit safety delimiters or "ignore instructions" warnings are described when passing task content to the
agent_spawntool. - Capability inventory: The orchestrator has the ability to execute shell commands (git, gh, bun) and spawn new agents with access to the local codebase.
- Sanitization: Content from these local files is interpolated into agent parameters without explicit escaping or validation.
- [COMMAND_EXECUTION]: The skill automates the execution of local project commands such as
bun run lint,bun run test, andbun run build. While this is standard for development tools, it involves executing code within the local repository that may have been modified by worker agents.
Audit Metadata