workbench
Pass
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: Utilizes shell commands to manage Docker containers (build, run, exec, stop) for sandboxed execution.
- [COMMAND_EXECUTION]: Employs string interpolation for task names and file paths in shell commands, creating potential for command injection or path traversal on the host.
- Evidence: 'cp /tmp/workbench/{task-name}/script.py /path/to/project/script.py' in SKILL.md allows moving code from the sandbox to host project directories.
- [PROMPT_INJECTION]: Subject to indirect prompt injection because it processes and executes untrusted code and task descriptions.
- Ingestion points: User-provided task descriptions and code files stored in /tmp/workbench.
- Boundary markers: Absent; no specific instructions to the agent to ignore embedded commands in processed data.
- Capability inventory: Unrestricted shell access within the container and file system write access on the host via the 'cp' tool.
- Sanitization: No sanitization logic detected for {task-name} or destination project paths before shell interpolation.
- [DATA_EXFILTRATION]: The execution environment permits network access by default, enabling code inside the container to transmit data to external servers.
- Evidence: SKILL.md describes workflows for fetching data from an API and installing packages from external registries.
Audit Metadata