render-sandbox
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the installation of the
computesdkpackage via npm. This package and its maintainers are not included in the trusted organizations list, posing a risk of supply chain attack if the package is malicious. - [REMOTE_CODE_EXECUTION] (MEDIUM): The documentation suggests using
npx skills addto fetch and install a skill directly from a remote GitHub repository (https://github.com/computesdk/sandbox-skills). This mechanism bypasses standard review processes and executes code from an untrusted external source. - [CREDENTIALS_UNSAFE] (SAFE): While the skill mentions environment variables for API keys (
COMPUTESDK_API_KEY,RENDER_API_KEY), it correctly uses placeholders and does not contain hardcoded secrets.
Audit Metadata