orbstack-best-practices
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- CREDENTIALS_UNSAFE (HIGH): The skill explicitly reveals the location of sensitive authentication material, specifically the OrbStack SSH private key at '~/.orbstack/ssh/id_ed25519'.
- COMMAND_EXECUTION (HIGH): The skill documents the 'mac' command utility, which allows for arbitrary command execution on the macOS host system from within a Linux VM (e.g., 'mac uname -a'). This effectively bypasses the isolation boundary between the virtualized environment and the host.
- DATA_EXFILTRATION (HIGH): The documentation highlights direct access to the host's home directory ('/mnt/mac/Users/...') and provides commands ('orb pull') that can be used to move sensitive files from the host to the VM, where they might be further exfiltrated via network operations.
- PROMPT_INJECTION (HIGH): The skill demonstrates a high surface for Indirect Prompt Injection (Category 8).
- Ingestion points: External 'cloud-init' configuration files ('user-data.yml') and shell scripts ('script.sh') are used to provision and control VMs.
- Boundary markers: None identified. There are no instructions to validate or delimit external configuration content.
- Capability inventory: Includes root execution ('orb -u root'), host command execution ('mac'), and host filesystem access.
- Sanitization: None identified. The skill encourages passing environment variables (like AWS_PROFILE) directly into the VM environment without filtering.
Recommendations
- AI detected serious security threats
Audit Metadata