hetzner-coder
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The Ansible playbook in 'references/ansible-integration.md' installs Docker using 'curl -fsSL https://get.docker.com | sh'. This method of remote code execution is highly discouraged as it grants unverified third-party scripts root execution privileges without integrity checks.
- [COMMAND_EXECUTION] (HIGH): The provisioning script in 'references/ansible-integration.md' disables SSH host key checking via 'ANSIBLE_HOST_KEY_CHECKING=False' and 'StrictHostKeyChecking=accept-new'. This bypasses critical security safeguards, making the initial connection vulnerable to interception.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill uses 'ansible-galaxy install' to fetch external roles from the Galaxy registry at runtime. This introduces a dependency on unverified external code that can be modified without notice.
- [DATA_EXFILTRATION] (SAFE): Sensitive credentials for Hetzner and Object Storage are handled via OpenTofu variables and 1Password CLI integration (op read), which follows security best practices for avoiding hardcoded secrets.
Recommendations
- AI detected serious security threats
Audit Metadata