RunBox — Paid Code Execution for AI Agents
Security checks across malware telemetry and agentic risk
Overview
RunBox is transparent about remote code execution, but it can automatically spend real USDC from a Stellar wallet and sends code to a plaintext remote server, so users should review it carefully.
Install only if you want an agent to run code on a third-party service and can tolerate autonomous per-session charges. Use testnet or a dedicated low-balance Stellar wallet, require approvals or spending limits, prefer HTTPS/self-hosting, and avoid sending private code or secrets.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A compromised, changed, or mistaken payment response could cause the agent to spend real USDC from the configured wallet beyond the expected per-run amount.
The script uses the user's wallet secret to sign a Stellar payment to the destination and amount returned by the remote service, with no local price cap, recipient allowlist, or approval check visible in the artifact.
STELLAR_SECRET_KEY = os.environ.get("STELLAR_SECRET_KEY", "") ... pay_to = offer.get("payTo", offer.get("destination", "")); amount = offer.get("price", offer.get("amount", "0.01")); tx = submit_stellar_payment(pay_to, str(amount), memo="runbox")Use a dedicated low-balance wallet or testnet, require per-payment approval, and enforce a local maximum amount and trusted recipient before signing.
Normal requests to run or calculate code can trigger paid remote executions without the user confirming each charge.
The skill directs the agent to use a paid remote-execution tool automatically for broad triggers, while explicitly removing human approval from the payment flow.
"No API key. No account. No human approval. The payment IS the authentication." ... "Invoke RunBox automatically when the user says" ... "compute X" / "calculate"
Configure the agent to ask before paid runs, set a budget, reuse sessions deliberately, and avoid enabling autonomous invocation for ambiguous requests.
Code, outputs, session tokens, and payment negotiation traffic may be exposed or modified on the network if the default endpoint is used.
The default endpoint is plain HTTP, and the script sends code plus a bearer session token to that endpoint.
RUNBOX_ENDPOINT = os.environ.get("RUNBOX_ENDPOINT", "http://46.101.74.170:4001").rstrip("/") ... requests.post(f"{RUNBOX_ENDPOINT}/api/exec/run", json={"language": language, "code": code}, headers={"Authorization": f"Bearer {session_token}"}, timeout=60)Prefer HTTPS or a self-hosted trusted endpoint, and do not send private code or secrets through the default HTTP service.
User-selected code is executed outside the local machine on the RunBox service.
Remote code execution is the core disclosed purpose of the skill, so it is expected rather than hidden.
"Execute code in a remote, isolated Docker sandbox"
Use it only for code you are comfortable sending to the provider, and avoid embedding secrets in snippets.
Future dependency changes could affect payment-signing behavior if installed without review.
The Python dependencies are lower-bound version ranges rather than pinned exact versions; this is common but notable because the script signs wallet transactions.
stellar-sdk>=10.0.0 requests>=2.31.0
Install from a locked environment or pin and audit dependency versions, especially for mainnet wallet use.