Skills
skills/sickn33/antigravity-awesome-skills/conductor-setup/Gen Agent Trust Hub

conductor-setup

Fail

Audited by Gen Agent Trust Hub on Apr 13, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill's setup script (bin/conductor-setup) programmatically accesses and symlinks sensitive files including .env and config/master.key from the project's root directory. These files typically store API keys, database credentials, and Rails encryption secrets, making them accessible to the agent and workspace environment.
  • [EXTERNAL_DOWNLOADS]: The skill automates the execution of bundle install and npm install during the project setup process. These commands fetch and install external code packages from public registries (RubyGems and NPM), which introduces a dependency on external sources and potential supply chain risks if the project's manifest files are not verified.
  • [COMMAND_EXECUTION]: The skill utilizes shell commands to create new executable scripts (bin/conductor-setup, script/server), modify file permissions using chmod +x, and manage the execution of the Rails development server. This establishes a custom execution flow within the workspace that runs with the agent's privileges.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 13, 2026, 11:21 PM