sandbox-agent

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly shows runtime flows that fetch and open arbitrary public URLs (e.g., Computer Use's openDesktopTarget / Chromium headless examples and numerous Process API examples like "curl -fsSL https://... | sh"), which lets an agent retrieve and view untrusted third‑party web content (pages, scripts) as part of its workflow and therefore that content could materially influence tool use or next actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The docs include commands that run remote install scripts at runtime (e.g., curl -fsSL https://releases.rivet.dev/sandbox-agent/0.4.x/install.sh | sh), which fetch and execute remote code and are used in multiple deployment/run examples to install the required sandbox-agent binary.