secure-sandbox
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides tools (
sandbox_exec) that usechild_process.execSyncandchild_process.spawnwithshell: trueto execute arbitrary strings as shell commands. While this is the primary purpose of the skill, it creates a high-risk capability that depends entirely on the effectiveness of the internal filters. - [DATA_EXFILTRATION]: The command risk classifier in
lib/classifier.jsand the default allowlist inlib/allowlist.jscategorize thecatcommand as 'safe' and 'auto-approve'. This configuration allows an agent to read sensitive local data, such as private keys, environment variables, or system configuration files, without triggering a manual approval workflow. - [REMOTE_CODE_EXECUTION]: Automated scans detected patterns for piping remote scripts to a shell (e.g.,
curl | bash). These patterns are present inlib/classifier.jsas part of the security blocklist and intest/sandbox.test.jsas test cases to verify the blocker's functionality. While flagged by scanners, they are used here as part of the security logic rather than as active malicious payloads. - [COMMAND_EXECUTION]: The
sandbox_execfunction allows users to provide anenvobject, which enables the injection of arbitrary environment variables into the execution context. This could be used to override application behavior or expose sensitive environment data. - [REMOTE_CODE_EXECUTION]: The destructive path detection in
lib/classifier.jsspecifically targets absolute paths (e.g.,/etc/,/bin/). This logic can be bypassed using relative path traversal (e.g.,../../etc/passwd), which is not covered by the regex used to identify dangerous targets.
Recommendations
- HIGH: Downloads and executes remote code from: https://example.com, https://evil.com/script.sh - DO NOT USE without thorough review
Audit Metadata