conductor-setup
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill performs standard project initialization tasks, such as generating documentation (index.md, product.md) and maintaining a local state file (conductor/setup_state.json) to track progress.
- [COMMAND_EXECUTION]: The skill uses platform-provided tools such as
GlobandReadto inspect the local filesystem for existing project identifiers. This behavior is restricted to the project root and is used solely to provide intelligent defaults for the setup process. - [INDIRECT_PROMPT_INJECTION]: The skill processes data from local project files (e.g., parsing
package.jsonfor dependencies) which serves as an entry point for untrusted data. - Ingestion points: Section 3 and Section 5 analyze local files like
package.json,requirements.txt, and.eslintrc. - Boundary markers: None explicitly defined in the instructions.
- Capability inventory: File reading (
Read), file searching (Glob), and file writing. - Sanitization: The skill incorporates a human-in-the-loop verification step, explicitly asking the user to confirm or edit any auto-detected information before proceeding, which mitigates the risk of the agent being misled by malicious content in project configuration files.
Audit Metadata