orbstack-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill explicitly documents the path to the user's SSH private key (
~/.orbstack/ssh/id_ed25519). An agent following these instructions could read or expose this sensitive credential. - [COMMAND_EXECUTION] (HIGH): The skill details several methods for arbitrary command execution. Specifically, the
macutility (mac uname -a) allows commands to be executed on the macOS host from within the Linux VM. Additionally,orb -u rootandorb -m myvm ./script.shfacilitate command execution with elevated privileges on the guest. - [DATA_EXFILTRATION] (MEDIUM): The documentation highlights file sharing paths that provide full access to the macOS host filesystem (
/mnt/mac/Users/...) from within the VM. Combined withorb push/pulland network capabilities, this creates a high-risk path for data exfiltration from the host. - [INDIRECT_PROMPT_INJECTION] (HIGH): The skill provides an ingestion surface for untrusted data via
cloud-initconfigurations (orb create ubuntu myvm -c cloud.yml). - Ingestion points: External YAML files (
cloud.yml,user-data.yml). - Boundary markers: None present.
- Capability inventory: Full VM lifecycle management, host command execution, file system access, and network operations.
- Sanitization: None mentioned.
- Risk: An attacker-controlled YAML file could execute malicious commands on the host or guest during the VM creation process.
Recommendations
- AI detected serious security threats
Audit Metadata