community-post

The orchestrator itself does not contain direct malicious code patterns (no network endpoints, no credential use, no command execution). The highest risk is transitive: it forwards local episode metadata and user inputs to foundation skills without enforced trust boundaries or sanitization, and it writes foundation-supplied content to disk upon approval. Recommend treating invoked foundation skills as untrusted inputs: implement path normalization, output sanitization, least-privilege execution for foundation skills, and logging/auditing of their behavior. With those mitigations, the orchestrator can be used safely; without them, it presents a moderate supply-chain/transitive risk primarily due to potential data exfiltration or malicious content insertion.