sandbox
Pass
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill processes arbitrary HTML content via the
/sandbox pushcommand, which creates a surface for indirect prompt injection if the source of the HTML is untrusted.\n - Ingestion points:
index.ts(argument for the/sandbox pushcommand).\n - Boundary markers: None detected; instructions are not delimited or warned against.\n
- Capability inventory: Launching a local HTTP server (
startServer), rendering HTML, and capturing screenshots (snapshot) through an internalCanvasService.\n - Sanitization: No sanitization of the input HTML is performed before rendering.\n- Remote Code Execution (LOW): The skill facilitates the execution of JavaScript within the rendered HTML canvas. While disabled by default, the environment variables
CANVAS_ALLOW_JS_EVALandALLOW_UNSAFE_SANDBOXindicate that the underlying service can execute arbitrary scripts. Although this represents dynamic execution of code provided in inputs (typically MEDIUM severity), the risk is lowered because it is the primary purpose of a sandbox-themed skill.
Audit Metadata