cubesandbox-ai-sandbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — SKILL.md explicitly instructs fetching and executing public third‑party content (e.g., curl -sL https://github.com/tencentcloud/CubeSandbox/raw/master/deploy/one-click/online-install.sh | bash and pulling Docker images like ccr.ccs.tencentyun.com or myregistry.example.com for template creation), which the workflow requires and which can materially alter runtime behavior and tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's installation steps fetch and execute remote code at runtime (e.g., git clone https://github.com/tencentcloud/CubeSandbox.git followed by running scripts, and curl -sL https://github.com/tencentcloud/CubeSandbox/raw/master/deploy/one-click/online-install.sh | bash — also mirrored at https://cnb.cool/...), so these external URLs directly deliver and execute code required for the skill.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The prompt contains explicit host-level installation and management commands (curl | bash installer, systemctl restart, installing services on port 3000, use of /root paths) that modify system files and services and would typically require elevated privileges, so it encourages changing the machine state.