conductor-setup
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill creates and executes shell scripts (
scripts/conductor-setup.sh) and generates aconductor.jsonfile containing arbitrary shell commands for the 'run' and 'setup' keys. These commands are executed viazshand are derived from the agent's inspection of untrusted repository files. - DATA_EXFILTRATION / EXPOSURE (MEDIUM): The skill is specifically designed to discover and symlink sensitive
.envand.env.localfiles. While intended for local development, this mechanism could be abused to expose sensitive host credentials by symlinking them into workspace directories that might have different access controls or visibility. - INDIRECT PROMPT INJECTION (HIGH): The skill processes untrusted repository content to make decisions about what commands to write into executable configuration files.
- Ingestion points: The agent 'inspects' the repository structure, package manager files (e.g.,
package.json,requirements.txt), and framework configurations to determine setup and run commands. - Boundary markers: None. There are no delimiters or instructions to ignore embedded commands within the files being inspected.
- Capability inventory: The skill uses
chmod +x, creates shell scripts, creates JSON configuration files that execute shell commands, and performs filesystem symlinking (ln -sf). - Sanitization: No sanitization or validation is performed on the 'detected' commands before they are written to
conductor.jsonorscripts/conductor-setup.sh. - REMOTE_CODE_EXECUTION (MEDIUM): The skill instructs the agent to perform package installations (
npm install,pip install, etc.) based on the detected project type. While standard for setup tools, these installations are unverifiable and occur automatically as part of the setup workflow.
Recommendations
- AI detected serious security threats
Audit Metadata