Back to skill

Security audit

RunBox — Paid Code Execution for AI Agents

Security checks across malware telemetry and agentic risk

Overview

RunBox is mostly transparent about being a paid remote code runner, but it gives an agent direct real-money spending authority with weak safeguards.

Install only if you are comfortable giving the skill a dedicated low-balance Stellar wallet. Prefer testnet or a tightly funded wallet, use a trusted HTTPS or self-hosted endpoint, avoid submitting private code or secrets, and configure the agent to ask before any paid run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (13)

Tainted flow: 'RUNBOX_ENDPOINT' from os.environ.get (line 34, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def run_code(session_token: str, language: str, code: str) -> dict:
    """Execute code using a valid session token."""
    r = requests.post(
        f"{RUNBOX_ENDPOINT}/api/exec/run",
        json={"language": language, "code": code},
        headers={"Authorization": f"Bearer {session_token}"},
Confidence
94% confidence
Finding
r = requests.post( f"{RUNBOX_ENDPOINT}/api/exec/run", json={"language": language, "code": code}, headers={"Authorization": f"Bearer {session_token}"}, timeout=60,

Tainted flow: 'RUNBOX_ENDPOINT' from os.environ.get (line 34, credential/environment) → requests.post (network output)

Critical
Category
Data Flow
Content
def run_code(session_token: str, language: str, code: str) -> dict:
    """Execute code using a valid session token."""
    r = requests.post(
        f"{RUNBOX_ENDPOINT}/api/exec/run",
        json={"language": language, "code": code},
        headers={"Authorization": f"Bearer {session_token}"},
Confidence
94% confidence
Finding
r = requests.post( f"{RUNBOX_ENDPOINT}/api/exec/run", json={"language": language, "code": code}, headers={"Authorization": f"Bearer {session_token}"}, timeout=60,

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This README explicitly instructs agents to autonomously spend funds from a configured Stellar wallet and execute arbitrary user-requested code on a remote service, but provides no safety guidance, approval requirement, spending limits, or warning about the trust boundary. In an agent-skill context, documentation like this directly encourages unsafe behavior that can lead to unauthorized financial transactions, abuse of wallet credentials, and execution of untrusted code on third-party infrastructure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README tells users to export a raw STELLAR_SECRET_KEY and use a script that 'pays automatically, no other config needed,' again without any user-facing warning about spending real funds, secret handling risks, or the consequences of autonomous payment. This is especially dangerous for agent integrations because it normalizes unattended access to a hot wallet secret and encourages automatic payments to a remote endpoint, increasing the risk of fund loss, credential exposure, and unsafe tool behavior.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation guidance is broad enough to match ordinary requests such as 'compute', 'calculate', or 'write and run', which can cause the agent to route benign tasks to this skill unnecessarily. In this skill's context, over-invocation is more dangerous than usual because each invocation may send code to a third-party server and autonomously spend USDC.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill encourages autonomous use and highlights 'No human approval' while not prominently warning at the point of invocation that real funds may be spent from the configured Stellar wallet. This creates a strong risk of silent or unexpected financial loss, especially when paired with broad auto-invocation guidance and a reusable wallet secret stored in the environment.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill transmits code to a remote sandbox for execution, but the script does not provide a clear, prominent warning at execution time that code leaves the local environment. Users may unintentionally disclose proprietary code, secrets embedded in scripts, or regulated data to a third-party service.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script reads a Stellar secret key from the environment and uses it to sign blockchain payments, but it does not provide a prominent warning that a real spending credential is being consumed. In the context of an autonomous code-execution skill, this is especially dangerous because users may expose a funded wallet key without understanding that the tool can spend funds automatically.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script submits a USDC payment immediately after receiving payment instructions from the remote service, without any confirmation prompt, spender policy, recipient verification, or amount cap. Because the service endpoint is configurable and defaults to an IP over HTTP, a malicious service or MITM could induce unauthorized or misdirected payments.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script can automatically submit a real Stellar mainnet USDC payment without an explicit confirmation step, warning, spending cap, or dry-run default. In an agent skill context, this is especially dangerous because an autonomous workflow or prompt-triggered use could spend funds unexpectedly or repeatedly against attacker-controlled payment instructions.

Unpinned Dependencies

Low
Category
Supply Chain
Content
stellar-sdk>=10.0.0
requests>=2.31.0
Confidence
95% confidence
Finding
stellar-sdk>=10.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
stellar-sdk>=10.0.0
requests>=2.31.0
Confidence
98% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
97% confidence
Finding
requests

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.