use-instavm
Pass
Audited by Gen Agent Trust Hub on Mar 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses client.execute, client.execute_async, and client.execute_streaming methods to run shell commands within the managed sessions and virtual machines, which is central to its purpose as an infrastructure management tool (documented in references/compute.md and references/hosting.md).
- [EXTERNAL_DOWNLOADS]: The skill performs package installations using pip and clones external Git repositories during machine image construction (documented in references/hosting.md and references/compute.md). These operations target standard registries and user-provided URLs.
- [DATA_EXFILTRATION]: The skill accesses local SSH public keys from ~/.ssh/*.pub for the purpose of registering them with the platform to enable remote access to virtual machines (documented in references/access.md).
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface because it processes and executes content from external sources such as Git repositories.
- Ingestion points: External repository cloning via git_clone_url in references/compute.md.
- Boundary markers: None identified; instructions do not explicitly tell the agent to ignore embedded instructions in cloned content.
- Capability inventory: The skill has extensive capabilities including arbitrary command execution (client.execute), file system modification (upload_file), and network egress control.
- Sanitization: No evidence of input sanitization or validation for the cloned repository content was found.
Audit Metadata