Security Audit

conductor-implement

github.com/sickn33/antigravity-awesome-skills

AI SkillCommit e36d6fd3b3f6

CAUTION

Scanned about 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

conductor-implement received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Command Injection via Git Commit Message, Command Injection via Test Suite Execution, Path Traversal in File Operations.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 11/100, indicating areas for improvement.

Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

11%

Behavioral Risk Signals

Filesystem Write

4 findings

Shell Execution

2 findings

Dynamic Code

3 findings

Excessive Permissions

3 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Command Injection via Git Commit Message The skill constructs `git commit` commands using user-controlled variables (`{commit_prefix}`, `{task description}`, `{trackId}`) directly within the commit message. An attacker could inject shell commands by crafting a malicious task description or commit prefix, leading to arbitrary code execution on the host system. For example, a `{task description}` like `'; rm -rf /; echo '` could delete critical files. All user-provided input used in shell commands must be strictly sanitized or escaped. For commit messages, use a dedicated Git client library that handles escaping, or ensure the LLM explicitly escapes special characters (e.g., quotes, semicolons, backticks) before constructing the command string. Consider using a tool call that takes parameters rather than raw command strings.	LLM	SKILL.md:100
CRITICAL	Command Injection via Test Suite Execution The skill explicitly instructs to run test suites using commands like `npm test` or `pytest`. If the project's `package.json` (for npm) or `pyproject.toml`/`setup.py` (for pytest) is untrusted or can be modified by an attacker, these commands could execute arbitrary malicious scripts defined within the project's test configuration. This is a common supply chain attack vector. Avoid executing arbitrary test commands from untrusted project contexts. If testing is necessary, it should be done in an isolated, sandboxed environment with strict resource and network controls. Alternatively, use a dedicated, secure testing tool that only executes predefined, safe test runners and does not allow arbitrary script execution from project configuration files.	LLM	SKILL.md:80
HIGH	Path Traversal in File Operations The skill constructs file paths using user-controlled variables such as `{argument}` (from `[track-id]`) and `{trackId}` without explicit sanitization. An attacker could provide a path traversal sequence (e.g., `../..`) in these variables to access or modify files outside the intended `conductor/tracks/` directory, leading to data exfiltration, unauthorized modification, or denial of service. Implement strict input validation and sanitization for all user-provided path components. Ensure that path segments do not contain directory traversal sequences (e.g., `..`, `/`, `\`) and are restricted to alphanumeric characters or a safe whitelist. Use a robust path joining function that normalizes paths and prevents traversal.	LLM	SKILL.md:40
MEDIUM	Excessive File System Write Permissions The skill describes numerous operations involving writing to and modifying files within the `conductor/` and `conductor/tracks/{trackId}/` directories, including creating new files, updating existing ones (e.g., `plan.md`, `metadata.json`), and potentially writing to `product.md`, `tech-stack.md`, and `README.md` during documentation sync. While necessary for its function, if combined with path traversal or untrusted content generation, this broad write access could be exploited to inject malicious code or data into critical project files. Ensure all content written to files is either strictly controlled by the skill's internal logic or thoroughly sanitized if derived from untrusted sources. Implement file system access controls (e.g., ACLs, sandboxing) to limit the skill's write scope to only necessary directories and file types. Review the content generation logic for documentation sync to prevent injection of malicious scripts or markdown.	LLM	SKILL.md:56
MEDIUM	Excessive File System Delete/Move Permissions The 'Cleanup options' section offers to 'Archive' (move) or 'Delete' track directories. If the `{trackId}` variable is vulnerable to path traversal, an attacker could manipulate it to move or delete arbitrary directories or files on the system, leading to data loss or denial of service. Apply the same strict input validation and sanitization for `{trackId}` as recommended for path traversal vulnerabilities. Ensure that any underlying file system operations (move, delete) are performed using secure APIs that prevent directory traversal and operate strictly within the intended scope.	LLM	SKILL.md:149

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/0198c2d7e43560ed.svg)](https://skillshield.io/report/0198c2d7e43560ed)