Skills
skills/robinebers/skills/setup-process/Gen Agent Trust Hub

setup-process

Warn

Audited by Gen Agent Trust Hub on Apr 28, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill accesses and copies sensitive environment files and AI tool configuration directories.
  • Evidence: The instructions in SKILL.md describe a shared pattern of copying .env, .env.local, and .env.development files from the source repository to new worktrees.
  • Evidence: The skill also targets AI-specific configuration directories including .agents, .claude, .codex, and .cursor for replication across environments using rsync and cp commands.
  • [COMMAND_EXECUTION]: The skill generates shell scripts containing installation and execution commands derived from project-level files.
  • Evidence: Templates for Cursor (setup-worktree), Codex ([setup] script), and Conductor (scripts.setup) include placeholders like {INSTALL_CMD} and {RUN_CMD} intended to be populated by the agent after analyzing the repository.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted local data to determine its actions.
  • Ingestion points: SKILL.md directs the agent to read the project's README, package.json, Makefile, and Cargo.toml to identify the correct installation and run commands.
  • Boundary markers: Absent. There are no instructions to distinguish between legitimate project metadata and potentially malicious instructions embedded in these files.
  • Capability inventory: The skill can perform file system operations (mkdir, cp, rsync) and generate arbitrary shell commands for execution in a worktree context.
  • Sanitization: Absent. The skill provides no logic for validating or escaping the strings extracted from project files before they are inserted into shell templates.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 28, 2026, 06:50 AM