microsandbox
Fail
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/setup.shexecutes remote content by piping a download fromhttps://install.microsandbox.devdirectly into the shell (curl -fsSL ... | sh). This pattern allows for the execution of arbitrary, unverified code from an external source. - [EXTERNAL_DOWNLOADS]: The skill downloads the
msbCLI andlibkrunfwlibrary from themicrosandbox.devdomain during setup. It also fetches OCI container images from remote registries during normal operation. - [COMMAND_EXECUTION]: The skill provides extensive capabilities to run arbitrary commands and shell scripts on the host or inside sandboxed environments via
msb run,msb exec, andmsb shell. This allows the agent to execute any instructions provided to it. - [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection (Category 8). Ingestion points: Untrusted code or scripts are passed to execution commands in
SKILL.mdandreferences/cli-reference.md. Boundary markers: The skill uses microVM hardware isolation as a security boundary. Capability inventory: Full CLI access to sandbox and network management via subprocess calls tomsb. Sanitization: The skill does not sanitize or validate input code strings, relying solely on the VM boundary for host protection.
Recommendations
- HIGH: Downloads and executes remote code from: https://install.microsandbox.dev - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata