Lybic Sandbox
ยท v0.1.3
Lybic Sandbox is a cloud sandbox built for agents and automation workflows. Think of it as a disposable cloud computer you can spin up on demand. Agents can perform GUI actions like seeing the screen, clicking, typing, and handling pop ups, which makes it a great fit for legacy apps and complex flows where APIs are missing or incomplete. It is designed for control and observability. You can monitor execution in real time, stop it when needed, and use logs and replay to debug, reproduce runs, and evaluate reliability. For long running tasks, iterative experimentation, or sensitive environments, sandboxed execution helps reduce risk and operational overhead.
H:4 D:4 A:0 C:1
โ ๏ธ Hazard Flags
FS_READ_WORKSPACE NET_EGRESS_ANY PI_WEB
๐ Capabilities
Execution
- โ Shell execution
- โ Code execution
- โ Install dependencies
- โ Persistence
- Privilege: user
Filesystem
- โ Read workspace
- โ Write workspace
- โ Read home
- โ Write home
- โ Read system
- โ Delete
Network
- Egress: any
- โ Ingress
Credentials
- โ Environment vars
- โ Credential files
- โ Browser data
- โ Keychain
Actions
โ send messagesโ post publicโ purchaseโ transfer moneyโ deployโ delete external
๐ Containment
Level: maximum
Recommended:
- LOG_ACTIONS: Audit trail for all actions
โก Risks
Base64 decode + execute pattern in: examples/03_file_processing.py, SKILL.md critical
Mitigation: Decode and review obfuscated content before use.
Unauthorized tool use: INSTRUCTED_BINARY_INSTALL high
Mitigation: Avoid instructing agents to install arbitrary binaries; bundle dependencies or use sandboxed environments
Command injection risk: MCP_SQL_BLIND high
Mitigation: Remove SQL exploitation patterns.
Social engineering indicators: SOCIAL_ENG_VAGUE_DESCRIPTION low
Mitigation: Provide clear, detailed description of skill functionality
Data exfiltration patterns: DATA_EXFIL_BASE64_AND_NETWORK critical
Mitigation: Review base64 usage, especially if combined with network calls
Want a deeper analysis?
This report was generated by static analysis. Get an LLM-powered deep review with behavioral reasoning and attack surface mapping.
๐ง Deep Analysis โ $5.00๐จ Incident Response
Kill switch: Stop the agent process
Containment: Review logs for unexpected actions
Recovery: Depends on skill capabilities
๐ Raw SSDS JSON click to expand
{
"meta": {
"document_id": "ssds:auto:lybic cloud-computer skill:0.1.3",
"ssds_version": "0.2.0",
"scanner_version": "0.4.0+fe6fd9123d50",
"created_at": "2026-03-05T03:16:45.997Z",
"created_by": {
"agent": "safeagentskills-cli/generate-ssds"
},
"language": "en",
"notes": "Auto-generated SSDS. Manual review recommended."
},
"skill": {
"name": "Lybic Sandbox",
"version": "0.1.3",
"format": "agent_skill",
"description": "Lybic Sandbox is a cloud sandbox built for agents and automation workflows. Think of it as a disposable cloud computer you can spin up on demand. Agents can perform GUI actions like seeing the screen, clicking, typing, and handling pop ups, which makes it a great fit for legacy apps and complex flows where APIs are missing or incomplete. It is designed for control and observability. You can monitor execution in real time, stop it when needed, and use logs and replay to debug, reproduce runs, and evaluate reliability. For long running tasks, iterative experimentation, or sensitive environments, sandboxed execution helps reduce risk and operational overhead.",
"publisher": "unknown",
"source": {
"channel": "local"
},
"artifact": {
"sha256": "80d45c6aec3762134f94c1448b825afd0ac8070a7d438e51e11f3232fbda5797",
"hash_method": "files_sorted"
}
},
"capabilities": {
"execution": {
"can_exec_shell": false,
"can_exec_code": false,
"privilege_level": "user",
"can_install_deps": false,
"can_persist": false
},
"filesystem": {
"reads_workspace": true,
"reads_user_home": false,
"reads_system": false,
"writes_workspace": false,
"writes_user_home": false,
"writes_system": false,
"can_delete": false
},
"network": {
"egress": "any",
"ingress": false
},
"credentials": {
"reads_env_vars": false,
"reads_credential_files": false,
"reads_browser_data": false,
"reads_keychain": false
},
"services": [],
"actions": {
"can_send_messages": false,
"can_post_public": false,
"can_purchase": false,
"can_transfer_money": false,
"can_deploy": false,
"can_delete_external": false
},
"prompt_injection_surfaces": [
"web"
],
"content_types": [
"general"
]
},
"hazards": {
"hdac": {
"H": 4,
"D": 4,
"A": 0,
"C": 1
},
"flags": [
"FS_READ_WORKSPACE",
"NET_EGRESS_ANY",
"PI_WEB"
],
"custom_flags": [
{
"code": "BASE64_EXEC",
"name": "Base64 Execute",
"description": "Decodes and executes obfuscated code in: examples/03_file_processing.py, SKILL.md"
},
{
"code": "TOOL_ABUSE",
"name": "Unauthorized Tool Use",
"description": "INSTRUCTED_BINARY_INSTALL: Instructs agent to install external binary or package"
},
{
"code": "SOCIAL_ENGINEERING",
"name": "Social Engineering Risk",
"description": "SOCIAL_ENG_VAGUE_DESCRIPTION: Skill description is too vague or missing"
},
{
"code": "COMMAND_INJECTION",
"name": "Command Injection Risk",
"description": "MCP_SQL_BLIND: Blind SQL injection, system table access, or stored procedure abuse"
},
{
"code": "DATA_EXFILTRATION",
"name": "Data Exfiltration Risk",
"description": "DATA_EXFIL_BASE64_AND_NETWORK: Base64 encoding (often used before data exfiltration)"
}
],
"confidence": {
"level": "medium",
"basis": [
"static_analysis"
],
"notes": "Detected 5 security patterns (8 vendored rule hits). Review recommended."
},
"rationale": {
"H": "H4: Critical: Privilege escalation or malware detected",
"D": "D4: Critical: Credential theft or data exfiltration",
"A": "A0: No side effects detected",
"C": "C1: General content"
}
},
"containment": {
"level": "maximum",
"required": [],
"recommended": [
{
"control": "LOG_ACTIONS",
"reason": "Audit trail for all actions"
}
],
"uncontained_risk": "Risk level depends on manual review of actual capabilities."
},
"risks": {
"risks": [
{
"risk": "Base64 decode + execute pattern in: examples/03_file_processing.py, SKILL.md",
"severity": "critical",
"mitigation": "Decode and review obfuscated content before use."
},
{
"risk": "Unauthorized tool use: INSTRUCTED_BINARY_INSTALL",
"severity": "high",
"mitigation": "Avoid instructing agents to install arbitrary binaries; bundle dependencies or use sandboxed environments"
},
{
"risk": "Command injection risk: MCP_SQL_BLIND",
"severity": "high",
"mitigation": "Remove SQL exploitation patterns."
},
{
"risk": "Social engineering indicators: SOCIAL_ENG_VAGUE_DESCRIPTION",
"severity": "low",
"mitigation": "Provide clear, detailed description of skill functionality"
},
{
"risk": "Data exfiltration patterns: DATA_EXFIL_BASE64_AND_NETWORK",
"severity": "critical",
"mitigation": "Review base64 usage, especially if combined with network calls"
}
],
"limitations": [
"Static analysis only - runtime behavior not verified"
]
},
"incident_response": {
"kill_switch": [
"Stop the agent process"
],
"containment": [
"Review logs for unexpected actions"
],
"recovery": [
"Depends on skill capabilities"
]
},
"evidence": [
{
"evidence_id": "EV:file-1",
"type": "file_excerpt",
"title": "examples/01_execute_code.py",
"file_path": "examples/01_execute_code.py"
},
{
"evidence_id": "EV:file-2",
"type": "file_excerpt",
"title": "examples/02_gui_automation.py",
"file_path": "examples/02_gui_automation.py"
},
{
"evidence_id": "EV:file-3",
"type": "file_excerpt",
"title": "examples/03_file_processing.py",
"file_path": "examples/03_file_processing.py"
},
{
"evidence_id": "EV:file-4",
"type": "file_excerpt",
"title": "examples/04_manage_sandboxes.py",
"file_path": "examples/04_manage_sandboxes.py"
},
{
"evidence_id": "EV:file-5",
"type": "file_excerpt",
"title": "examples/05_android_automation.py",
"file_path": "examples/05_android_automation.py"
},
{
"evidence_id": "EV:file-6",
"type": "file_excerpt",
"title": "examples/06_http_port_mapping.py",
"file_path": "examples/06_http_port_mapping.py"
},
{
"evidence_id": "EV:file-7",
"type": "file_excerpt",
"title": "examples/README.md",
"file_path": "examples/README.md"
},
{
"evidence_id": "EV:file-8",
"type": "file_excerpt",
"title": "README.md",
"file_path": "README.md"
},
{
"evidence_id": "EV:file-9",
"type": "file_excerpt",
"title": "SKILL.md",
"file_path": "SKILL.md"
},
{
"evidence_id": "EV:file-10",
"type": "file_excerpt",
"title": "_meta.json",
"file_path": "_meta.json"
},
{
"evidence_id": "EV:cisco-1",
"type": "file_excerpt",
"title": "DATA_EXFIL_BASE64_AND_NETWORK [CRITICAL] examples/01_execute_code.py:45: stdinBase64=base64.b64encode(code.encode()).decode()",
"file_path": "examples/01_execute_code.py"
},
{
"evidence_id": "EV:cisco-2",
"type": "file_excerpt",
"title": "DATA_EXFIL_BASE64_AND_NETWORK [CRITICAL] examples/03_file_processing.py:82: stdinBase64=base64.b64encode(code.encode()).decode(),",
"file_path": "examples/03_file_processing.py"
},
{
"evidence_id": "EV:cisco-3",
"type": "file_excerpt",
"title": "MCP_SQL_BLIND [HIGH] examples/05_android_automation.py:113: await asyncio.sleep(3)",
"file_path": "examples/05_android_automation.py"
},
{
"evidence_id": "EV:cisco-4",
"type": "file_excerpt",
"title": "INSTRUCTED_BINARY_INSTALL [HIGH] examples/README.md:11: pip install lybic",
"file_path": "examples/README.md"
},
{
"evidence_id": "EV:cisco-5",
"type": "file_excerpt",
"title": "MCP_SQL_BLIND [HIGH] examples/README.md:198: - Wait longer after creation (increase `asyncio.sleep()` duration)",
"file_path": "examples/README.md"
},
{
"evidence_id": "EV:cisco-6",
"type": "file_excerpt",
"title": "INSTRUCTED_BINARY_INSTALL [HIGH] README.md:48: pip install lybic",
"file_path": "README.md"
},
{
"evidence_id": "EV:cisco-7",
"type": "file_excerpt",
"title": "INSTRUCTED_BINARY_INSTALL [HIGH] SKILL.md:83: pip install lybic",
"file_path": "SKILL.md"
},
{
"evidence_id": "EV:cisco-8",
"type": "file_excerpt",
"title": "SOCIAL_ENG_VAGUE_DESCRIPTION [LOW] SKILL.md:1: ---",
"file_path": "SKILL.md"
}
]
}