benchmark-sandbox
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [Command Execution]: The skill uses
sandbox.runCommandto perform remote shell operations andexecSynclocally to interact with the system keychain. This logic is essential for setting up the benchmark environment and executing the 3-phase evaluation pipeline.\n- [Sensitive Data Access]: The runner accesses the local Vercel CLI configuration at~/.local/share/com.vercel.cli/auth.jsonand the macOS Keychain forANTHROPIC_AUTH_TOKEN. This allows the tool to authenticate deployments and AI service calls during the benchmarks.\n- [External Package Installation]: The provisioning scripts download and install global npm packages, including@anthropic-ai/claude-code,vercel, andagent-browser, into the sandboxes. These are trusted packages required for the tool's intended lifecycle.\n- [Indirect Prompt Injection Surface]: The skill can load dynamic scenarios from JSON files which contain natural language prompts that influence the behavior of the agent inside the sandbox.\n - Ingestion points: Scenario prompts enter the system via the
scenarios-fileargument or built-in defaults processed inrun-eval.ts.\n - Boundary markers: Prompts are delimited within structured JSON, but the skill lacks specific 'ignore instruction' guardrails for the generated prompt strings.\n
- Capability inventory: The skill possesses capabilities for remote command execution, file system modification, and project deployment within the sandbox (evident in
run-eval.ts).\n - Sanitization: There is no active validation or filtering applied to the natural language content of the ingested scenarios.
Audit Metadata