Back to skill

Security audit

Swarm Sprint

Security checks across malware telemetry and agentic risk

Overview

This worktree automation skill appears purpose-aligned, but its cleanup and command execution can delete local developer data too broadly without strong safeguards.

Review before installing or running. Use only on disposable or backed-up repositories, inspect swarm-packages.json before cleanup, avoid untrusted task IDs or task files, and prefer a version that validates paths and asks for explicit confirmation before deleting worktrees or branches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The cleanup step instructs users to delete all worktrees and branches with 'always, no exceptions' language, but it does not require verification that changes were merged, committed, or otherwise preserved first. In a parallel multi-agent workflow, this increases the chance of accidental data loss if a user runs cleanup prematurely or if an agent left important uncommitted work in a worktree.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The cleanup path performs destructive filesystem and git operations using --force and a fallback rm -rf on computed paths, without an explicit confirmation step or strong path validation. If repoPath or package-derived worktree paths are incorrect, tampered with, or unexpectedly resolved, the script can delete unintended directories or destroy uncommitted work.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/swarm.js:38