use-slicer
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill requires the use of
sudoto manage the Slicer daemon and networking components (e.g.,sudo -E slicer up ./sandbox.yaml). - [CREDENTIALS_UNSAFE]: The skill instructs the agent to access and manage sensitive local files, such as the GitHub personal access token stored at
~/.slicer/gh-access-tokenand host SSH keys. - [REMOTE_CODE_EXECUTION]: Fetches and executes the K3s installation script from the well-known get.k3s.io service within the microVM.
- [DATA_EXFILTRATION]: The 'Agent Sandbox' feature automatically transfers sensitive credentials from the host machine (including secrets for Amp, Claude, and Codex) into the microVMs to facilitate agent operations.
- [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection as it facilitates copying entire workspace directories into a VM where an AI agent executes code.
- Ingestion points: Workspace paths used in
slicer amp,slicer claude,slicer codex, and files transferred viaslicer vm cp. - Boundary markers: No explicit boundary markers or 'ignore' instructions are provided to mitigate the risk of embedded instructions in workspace files.
- Capability inventory: The skill provides extensive capabilities within the VM, including arbitrary command execution (
slicer vm exec), interactive shells (slicer vm shell), and port forwarding. - Sanitization: No sanitization or validation of the transferred workspace data is documented.
Recommendations
- HIGH: Downloads and executes remote code from: https://get.k3s.io - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata