devbox

Fail

Audited by Gen Agent Trust Hub on Jun 12, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill instructs users to install tools by piping remote shell scripts directly into bash. This occurs for the Namespace Devbox CLI (get.namespace.so/devbox/install.sh), the Namespace Cloud CLI (get.namespace.so/cloud/install.sh), and the OpenCode agent (opencode.ai/install). Any compromise of these third-party domains could lead to arbitrary code execution on the user's host machine or within the devbox environment.
  • [EXTERNAL_DOWNLOADS]: Related to the RCE finding, the skill initiates several external downloads of executable scripts from non-whitelisted domains during setup and image building processes.
  • [COMMAND_EXECUTION]: The skill makes extensive use of shell command execution to manage devbox lifecycles. It uses sed to dynamically modify the devbox.yaml configuration file at runtime and executes complex SSH commands to establish tunnels and forward ports. While necessary for the skill's functionality, this dynamic command construction increases the risk of command injection if inputs are not properly handled.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through its processing of GitHub issue data and ad-hoc tasks.
  • Ingestion points: Untrusted data enters the agent's context through placeholders like {{BODY}}, {{TITLE}}, and {{TASK}} in prompts/issue.md and prompts/adhoc.md.
  • Boundary markers: There are no delimiters or instructions provided to the agent to treat the interpolated content as untrusted or to ignore embedded instructions within that content.
  • Capability inventory: The agent has the capability to execute shell commands, perform Git operations (commit/push), and create Pull Requests via the GitHub CLI, providing a high-impact target for an injection attack.
  • Sanitization: No sanitization, escaping, or validation of the external content is performed before it is interpolated into the final prompt.
Recommendations
  • HIGH: Downloads and executes remote code from: https://get.namespace.so/cloud/install.sh - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 12, 2026, 08:59 PM
Security Audit — agent-trust-hub — devbox