Auto Conda Env
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it advertises—set up Conda environments—but it can install project dependencies and should only be used on projects you trust.
Before installing, confirm the target project path and Conda executable, review dependency files for untrusted packages or scripts, and avoid `--break-system-packages` unless you are certain pip is running inside the intended Conda environment.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or untrusted project dependency file could cause code to run during installation, even though the commands are intended for environment setup.
These commands install the local project and its dependencies. That is central to the skill, but Python package installation can run build/install code and download packages under the user's account.
`CONDA run -n <env> pip install .` ... `CONDA run -n <env> pip install -r requirements.txt`
Use this skill only with trusted projects, review requirements/environment/pyproject files first, and keep installs inside the intended Conda environment.
If used outside the Conda environment, this could alter system-managed Python packages and make the local Python installation less stable.
This flag bypasses a pip safeguard. In the documented workflow it appears intended as a retry inside the target Conda environment, but it would be risky if applied to the system Python installation.
Try `--break-system-packages` when pip is blocked by OS package protection
Only use `--break-system-packages` after confirming the command is running inside the target Conda environment; avoid using it with system Python.
Using an unexpected local Conda binary could install packages into the wrong environment or use unintended package configuration.
The skill will use a locally discovered Conda executable. This is expected for the purpose, but users should verify the selected executable is their intended Conda installation.
Try these paths if conda is not in PATH: `which conda`, `~/.local/bin/conda`, `~/miniconda3/bin/conda`, `~/anaconda3/bin/conda`
Confirm which Conda executable is selected before creating or updating environments.