conductor-implement
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Indirect Prompt Injection surface. Ingestion points:
conductor/tracks/{trackId}/plan.md(task descriptions) andspec.md(requirements). Boundary markers: Absent; the agent is instructed to parse and follow the descriptions directly as its workflow loop. Capability inventory: Full file system write access for implementation and shell command execution (npm test,pytest,git). Sanitization: Absent; there are no instructions to validate or escape content from the plan files before execution or implementation. - [COMMAND_EXECUTION] (HIGH): Arbitrary command execution via test runners. The skill invokes shell commands such as
npm testorpytestand potentially other verification tasks defined in the project's metadata. A malicious actor could embed shell-breaking characters or direct command payloads into theplan.mdtasks or verification rules, which the agent would then execute with its current shell privileges.
Recommendations
- AI detected serious security threats
Audit Metadata