security-sandbox
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (LOW): The command extraction logic in scripts/command_validator.py relies on a simplified regex-based splitter that does not account for all shell subshell syntaxes, such as backticks. Since the validator primarily inspects the first token of the resulting parts, commands nested within these unhandled syntaxes could potentially bypass allowlist enforcement.
- [EXTERNAL_DOWNLOADS] (LOW): The skill's default allowlist includes network-capable utilities like curl, wget, ssh, and scp. Although necessary for many coding tasks, their presence increases the risk of data exfiltration or remote script ingestion if the agent is subjected to indirect prompt injection.
- [PROMPT_INJECTION] (LOW): Surface for Indirect Prompt Injection detected. 1. Ingestion points: 'command' string in SecurityManager.pre_tool_hook (scripts/security_manager.py). 2. Boundary markers: Absent. 3. Capability inventory: Validation only; the skill itself does not execute commands. 4. Sanitization: Regex filtering and shlex parsing in scripts/command_validator.py.
Audit Metadata