orcahand
Warn
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The bootstrap script
scripts/orcahand_init.pyis configured to clone five external repositories fromhttps://github.com/orcahand/(orcahand_description, orca_sim, orca_core, orca_retargeter, and rwr_system). This introduces external code dependencies into the user's environment at runtime. - [REMOTE_CODE_EXECUTION]: After cloning the repositories,
scripts/orcahand_init.pyexecutespip install -eon the downloaded directories. This process runs the installation logic (such assetup.pyor build hooks) contained within those external repositories, effectively executing remote code. - [COMMAND_EXECUTION]: The script
scripts/orcahand_init.pyusessubprocess.runto programmatically invoke system binaries includinggitandpip. Although used with hardcoded URLs and paths, this pattern facilitates the execution of shell-level operations. - [REMOTE_CODE_EXECUTION]: The health check utility
scripts/orcahand_check.pyemploys the__import__function to dynamically load modules for dependency verification. Dynamic module loading is a sensitive operation that can be leveraged to execute code if module paths are manipulated.
Audit Metadata