The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The installation instructions require cloning a repository from an untrusted source: https://github.com/WellDunDun/claude-code-sandbox.git. This source is not on the [TRUST-SCOPE-RULE] whitelist, and the subsequent execution of npm install on this untrusted code poses a supply chain risk.
PROMPT_INJECTION (HIGH): The skill demonstrates a significant Indirect Prompt Injection surface (Category 8).
Ingestion points: The POST /execute API endpoint accepts a task string from untrusted external requests.
Boundary markers: None are specified in the command construction or instructions to the model.
Capability inventory: The environment runs claude-code with --permission-mode acceptEdits, granting it the ability to modify files and execute commands within the container.
Sanitization: There is no evidence of sanitization or filtering for the input ${task} before it is passed to the AI agent.
REMOTE_CODE_EXECUTION (HIGH): The skill's primary purpose is to facilitate the remote execution of tasks. While isolated in a sandbox, the lack of input validation and the use of untrusted setup scripts elevate the risk of host-level or cloud-credential compromise if the container isolation is bypassed or if the setup scripts contain malicious payloads.
COMMAND_EXECUTION (MEDIUM): The skill relies on local shell scripts (Tools/check-prerequisites.sh, etc.) provided by the untrusted repository to perform system-level diagnostics and configuration, which could be leveraged for local malicious activity.

cloudflare-sandbox