run-evals
Pass
Audited by Gen Agent Trust Hub on May 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches source code and configuration from the vendor's official GitHub repository (
different-ai/openwork).\n- [COMMAND_EXECUTION]: Utilizes thedaytonaCLI to create sandboxes and execute setup commands, such aspnpm install,git clone, and service initialization scripts inside the ephemeral environment.\n- [PROMPT_INJECTION]: The skill processes instruction-like steps from files within the repository (e.g.,evals/daytona-flows.md). This constitutes an indirect prompt injection surface as the agent interprets and executes steps defined in external data.\n - Ingestion points: Markdown files in the
evals/directory within the cloned repository.\n - Boundary markers: Absent; there are no delimiters or instructions to prevent the agent from following malicious commands if they were to be present in the evaluation files.\n
- Capability inventory: The agent has access to
daytona execfor shell commands andbrowser_evaluatefor executing JavaScript within the sandbox's browser.\n - Sanitization: The skill does not perform validation or sanitization of the steps read from the evaluation files before the agent processes them.
Audit Metadata