modal-sandbox

[Skill Scanner] Installation of third-party script detected All findings: [CRITICAL] command_injection: Installation of third-party script detected (SC006) [AITech 9.1.4] [CRITICAL] command_injection: Natural language instruction to download and install from URL detected (CI009) [AITech 9.1.4] No direct evidence of malicious code in this documentation fragment. The design is consistent with a sandbox orchestration skill, but there are notable security concerns: default unencrypted port tunnels and a large capability surface (filesystem/shell/terminals) increase risk if credentials or sandbox workloads are compromised. Verify the SDK implementation for TLS usage, endpoint targets (no third-party relays), and ensure least-privilege credential scoping before use. LLM verification: This SKILL.md is documentation for an SDK that legitimately requires API keys and provider tokens to manage Modal sandboxes and the listed capabilities align with the requested credentials. There is no direct evidence of malware or obfuscation in the provided documentation. Notable risks: (1) the install instruction uses an unpinned npm package (supply-chain risk), (2) the SDK will handle sensitive credentials (COMPUTESDK_API_KEY, MODAL_TOKEN_ID, MODAL_TOKEN_SECRET) so users must trust the compu