Skills
skills/aws-samples/sample-strands-agent-with-agentcore/code-interpreter/Gen Agent Trust Hub

code-interpreter

Warn

Audited by Gen Agent Trust Hub on Mar 3, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The execute_code tool enables the execution of arbitrary Python, JavaScript, and TypeScript code. This is a primary feature of the skill but represents a significant attack surface as it allows for the execution of complex logic within the sandbox.
  • [COMMAND_EXECUTION]: The execute_command tool provides a direct interface to a shell environment, allowing for the execution of arbitrary terminal commands (e.g., pip install, ls, curl).
  • [EXTERNAL_DOWNLOADS]: The skill documentation encourages and provides examples for downloading external content via pip install for third-party packages and requests.get for fetching data from remote URLs.
  • [DATA_EXFILTRATION]: The skill possesses a complete set of primitives for data exfiltration. It can read local sensitive files using file_operations or code, and it has network access via libraries like requests and boto3 or shell commands like curl to transmit that data to external endpoints.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data through requests.get (web content) and ci_pull_from_workspace (files from a shared S3 bucket). Malicious instructions embedded in these sources could influence the agent's behavior. The sandbox documentation does not specify the use of boundary markers or content sanitization to mitigate this risk.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 3, 2026, 11:18 PM