The Agent Skills Directory

[Prompt Injection] (HIGH): The skill serves as a primary vector for Indirect Prompt Injection (Category 8) because its core purpose is to ingest and execute untrusted content.
Ingestion points: Untrusted data enters the agent context through sandbox.runCode(code), sandbox.exec(command), and sandbox.writeFile(path, content) as defined in SKILL.md and references/api-quick-ref.md.
Boundary markers: Absent. There are no instructions for the agent to use delimiters or ignore embedded instructions within the processed code or files.
Capability inventory: The skill provides a dangerous combination of capabilities including arbitrary shell execution (exec), multi-language code execution (runCode), persistent file system writes (writeFile), and external network access via port exposure (exposePort).
Sanitization: Absent. No validation or filtering logic is suggested for external content.
[Remote Code Execution] (HIGH): The methods sandbox.runCode and sandbox.exec allow for the execution of arbitrary scripts and commands. While contained within a sandbox, an attacker who successfully influences the agent's input can leverage these to perform unauthorized operations, such as resource exhaustion or network scanning from within the Cloudflare environment.
[Command Execution] (HIGH): The skill explicitly instructs the agent on how to use sandbox.exec to run shell commands like python script.py and npm install. This provides a direct path for executing arbitrary system commands if the input strings are not strictly controlled.
[External Downloads] (LOW): The skill references the @cloudflare/sandbox npm package and the docker.io/cloudflare/sandbox image. While Cloudflare is a reputable organization, it is not included in the predefined trusted source list, requiring the finding to be noted at a LOW level per [TRUST-SCOPE-RULE].

sandbox-sdk