Lack of Input Validation in add() and add_many() agent_registry.py

[nathanogaga118]

Vulnerable File: agent_registry.py

Vulnerable Function:

https://github.com/kyegomez/swarms/blob/master/swarms/structs/agent_registry.py

def add(self, agent: Agent) -> None:
"""
Adds a new agent to the registry.

Args:
agent (Agent): The agent to add.

Raises:
ValueError: If the agent_name already exists in the registry.
ValidationError: If the input data is invalid.
"""
name = agent.agent_name # No validation for agent_name

self.agent_to_py_model(agent)

with self.lock:
if name in self.agents:
logger.error(
f"Agent with name {name} already exists."
)
raise ValueError(
f"Agent with name {name} already exists."
)
try:
self.agents[name] = agent
logger.info(f"Agent {name} added successfully.")
except ValidationError as e:
logger.error(f"Validation error: {e}")
raise
Description:

The add function in agent_registry.py lacks proper input validation for the agent_name. The function assumes that agent_name is valid and does not check for conditions such as being None, empty, or non-string. This oversight can lead to unexpected behavior, data corruption, and potential security vulnerabilities.

Impact:

Unexpected Behavior: Without validation, the system may accept invalid agent names, leading to errors when attempting to retrieve, update, or delete agents.

Data Corruption: Invalid entries could corrupt the registry, affecting other operations and leading to inconsistent states.
Security Risks: If the system is exposed to user inputs, attackers might exploit this lack of validation to inject harmful data or cause denial of service.

Severity: high-medium

it can cause significant operational issues.

Proof of Concept (PoC):

Mock Agent class for demonstration
class Agent:
def init(self, agent_name, description=None):
self.agent_name = agent_name
self.description = description

def to_dict(self):
return {"agent_name": self.agent_name, "description": self.description}
Initialize the registry
registry = AgentRegistry()

Malicious or malformed input

malformed_agent_name = None # Invalid agent name
malformed_agent = Agent(agent_name=malformed_agent_name)

Attempt to add the malformed agent
try:
registry.add(malformed_agent)
except ValueError as e:
print(f"Caught ValueError: {e}")
except Exception as e:
print(f"Caught unexpected exception: {e}")

Key Fixes
Validation in add() — ensures agent_name is a non-empty, non-whitespace string.

Validation in add_many() — pre-checks the batch before starting threads.

test file

C:\Users\user\swarms>python test_agent_registry.py

✅ PASSED: Rejected invalid name None
2025-08-09 19:37:13 | WARNING | swarms.structs.agent:reliability_check:1564 - The agent name is not set. Please set an agent name to improve reliability.
✅ PASSED: Rejected invalid name ''
2025-08-09 19:37:13 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name ' '
2025-08-09 19:37:13 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name 123
2025-08-09 19:37:13 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name []
2025-08-09 19:37:13 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name {}
2025-08-09 19:37:13 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Accepted valid name 'AgentOne'
2025-08-09 19:37:13 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Accepted valid name 'agent_two'

C:\Users\user\swarms>python test_agent_registry.py

✅ PASSED: Rejected invalid name None
2025-08-09 19:44:07 | WARNING | swarms.structs.agent:reliability_check:1564 - The agent name is not set. Please set an agent name to improve reliability.
✅ PASSED: Rejected invalid name ''
2025-08-09 19:44:07 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name ' '
2025-08-09 19:44:07 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
2025-08-09 19:44:07 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name 123
2025-08-09 19:44:07 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name []
2025-08-09 19:44:07 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Rejected invalid name {}
2025-08-09 19:44:07 | ERROR | swarms.structs.agent_registry:add:86 - Invalid agent_name. It must be a non-empty string.
✅ PASSED: Accepted valid name 'AgentOne'
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:agent_to_py_model:224 - Agent AgentOne converted to Pydantic model.
✅ PASSED: Accepted valid name 'agent_two'
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:add:97 - Agent AgentOne added successfully.
✅ PASSED: Accepted valid name 'AGENT-003'
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:list_agents:159 - Listing all agents.
✅ PASSED: Accepted valid name 'Test Agent'
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:agent_to_py_model:224 - Agent agent_two converted to Pydantic model.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:add:97 - Agent agent_two added successfully.
✅ PASSED: Rejected duplicate name 'AgentOne'
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:list_agents:159 - Listing all agents.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:agent_to_py_model:224 - Agent AGENT-003 converted to Pydantic model.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:add:97 - Agent AGENT-003 added successfully.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:list_agents:159 - Listing all agents.
✅ PASSED: add_many() rejected batch with invalid name before threading
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:agent_to_py_model:224 - Agent Test Agent converted to Pydantic model.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:add:97 - Agent Test Agent added successfully.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:list_agents:159 - Listing all agents.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:agent_to_py_model:224 - Agent AgentOne converted to Pydantic model.
2025-08-09 19:44:08 | ERROR | swarms.structs.agent_registry:add:93 - Agent with name AgentOne already exists.
✅ PASSED: add_many() accepted all valid names
2025-08-09 19:44:08 | WARNING | swarms.structs.agent:reliability_check:1564 - The agent name is not set. Please set an agent name to improve reliability.
2025-08-09 19:44:08 | ERROR | swarms.structs.agent_registry:add_many:110 - Invalid agent_name in batch: None
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:agent_to_py_model:224 - Agent BatchAgent3 converted to Pydantic model.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:add:97 - Agent BatchAgent3 added successfully.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:agent_to_py_model:224 - Agent BatchAgent4 converted to Pydantic model.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:add:97 - Agent BatchAgent4 added successfully.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:list_agents:159 - Listing all agents.
2025-08-09 19:44:08 | INFO | swarms.structs.agent_registry:list_agents:159 - Listing all agents.

---

📚 Documentation preview 📚: https://swarms--1019.org.readthedocs.build/en/1019/

[nathanogaga118]

FzHhSiLUXrNsAg1uFrkXhaDYiMsvaF7ih38yUX4y1gzJ

Network: solana