agent-sandbox
Warn
Audited by Snyk on May 18, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). This skill's Install and Router Deployment instructions explicitly tell the operator to fetch and apply public manifests from GitHub (e.g., "kubectl apply -f https://github.com/.../manifest.yaml" in SKILL.md and the raw.githubusercontent.com router manifest in references/clients.md), meaning the agent is directed to ingest open/public third-party content (user-hosted GitHub/raw URLs) as part of its workflow and those fetched files can materially change actions the agent or tools take.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill explicitly tells operators to fetch and apply remote manifests and repo contents at runtime (e.g. kubectl apply -f https://github.com/kubernetes-sigs/agent-sandbox/releases/download/${VERSION}/manifest.yaml and https://github.com/kubernetes-sigs/agent-sandbox/releases/download/${VERSION}/extensions.yaml, the raw router manifest at https://raw.githubusercontent.com/kubernetes-sigs/agent-sandbox/${VERSION}/clients/python/agentic-sandbox-client/sandbox-router/sandbox_router.yaml, and git clone https://github.com/kubernetes-sigs/agent-sandbox), which are fetched/installed at runtime, are required for the controller/router/SDK to work, and therefore constitute high-confidence external dependencies that will execute remote code on install.
Issues (2)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata