daytona-sandbox
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the user to install the 'computesdk' package and adds remote skills from 'https://github.com/computesdk/sandbox-skills'. These sources (npm package and GitHub organization) are not in the 'Trusted External Sources' whitelist, posing a supply chain risk.
- COMMAND_EXECUTION (MEDIUM): The skill facilitates the execution of arbitrary code and shell commands within Daytona sandboxes using 'sandbox.runCode()'. While sandboxed, this provides a capability that can be exploited via indirect prompt injection if untrusted data is passed to the execution functions.
- INDIRECT_PROMPT_INJECTION (MEDIUM): The skill has a significant attack surface (Category 8).
- Ingestion points: The 'runCode' method and shell command interface accept input that could originate from untrusted external sources.
- Boundary markers: None identified in the provided code snippets or documentation.
- Capability inventory: The skill explicitly enables code execution and filesystem operations via 'ComputeSDK'.
- Sanitization: No evidence of sanitization or validation of the input strings before they are passed to the execution environment.
- CREDENTIALS_UNSAFE (INFO): The documentation references sensitive environment variables ('COMPUTESDK_API_KEY', 'DAYTONA_API_KEY'). Although only placeholders like 'your_computesdk_api_key' are provided, it encourages the use of persistent API keys.
Audit Metadata