Skills
skills/ruvnet/ruflo/monitor-stream/Gen Agent Trust Hub

monitor-stream

Warn

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to run npx @claude-flow/cli@latest, which downloads and executes code from the public NPM registry at runtime. The use of the @latest tag pulls the most recent version of the tool without version pinning, posing a risk of executing unvetted or malicious updates.\n- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute npx @claude-flow/cli@latest swarm watch --stream, a persistent process whose output is monitored and processed by the agent.\n- [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection because it processes live swarm event data which may contain untrusted content from the environment.\n
  • Ingestion points: The stdout line events produced by the swarm watch --stream command in SKILL.md.\n
  • Boundary markers: No delimiters or specific instructions are provided to help the agent distinguish between trusted commands and untrusted data within the stream.\n
  • Capability inventory: The agent has access to the Bash tool and multiple MCP tools (mcp__claude-flow__swarm_status, mcp__claude-flow__swarm_health), which could be targeted by instructions embedded in the monitored data.\n
  • Sanitization: There is no evidence of sanitization or schema validation for the NDJSON events before they are processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 19, 2026, 10:47 PM
Security Audit — agent-trust-hub — monitor-stream