conductor-dev-pro
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill mandates an 'Automated Self-Learning Loop' (Directive 6 in SKILL.md) where the agent reads conductor/learning.md at the start of every task and displays its content. 1. Ingestion points: conductor/learning.md, TASKS.md, SESSION_STATE.json. 2. Boundary markers: Absent. 3. Capability inventory: run_shell_command, read_file, replace. 4. Sanitization: Absent. This surface allows an attacker to persist malicious instructions in the learning log via tool outputs or environment data, which are then automatically processed and displayed in every subsequent task.
- [Prompt Injection] (MEDIUM): Directive 3 (Token Efficiency) in SKILL.md explicitly overrides external project requirements, instructing the agent to 'NOT run unit tests... even if the track plan or project workflow suggests it.'
- [Obfuscation] (MEDIUM): The file assets/conductor-template/tracks.md is encoded in UTF-16 Little Endian. This can be used to bypass simple string-matching security scanners that expect UTF-8 or ASCII content.
- [Command Execution] (LOW): The skill executes external build and linting tools (hvigorw, codelinter) through the shell. While typical for development, this grants the skill the ability to run external binaries on the system.
Recommendations
- AI detected serious security threats
Audit Metadata