SAFE-Fuzzer
PassAudited by ClawScan on May 10, 2026.
Overview
SAFE-Fuzzer is a disclosed sandbox-only fuzzer that intentionally spawns a worker and exercises target skills, so it should be run only in a disposable sandbox but shows no artifact-backed malicious behavior.
Install and run this only in the dedicated OpenClaw fuzzer sandbox with disposable workspace contents. Do not provide real credentials or run it against valuable local files; its purpose is to exercise potentially unsafe target-skill behavior and report what happens.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the fuzzer may cause the target skill to perform commands, file operations, or network requests inside the sandbox.
The skill intentionally allows a target skill to drive file, shell, and network actions during fuzzing. This is disclosed and sandbox-scoped, but users should recognize that the target's behavior will be exercised automatically.
The worker executes the target's requested steps inside the sandbox and reports concrete file, shell, and network behavior.
Use only the intended locked fuzzer sandbox with no real credentials or valuable files, and review the resulting report before trusting a target skill.
Target-skill observations, synthetic bait, and probe context may be shared with the spawned worker session during the run.
The fuzzer uses a parent/worker subagent model, so probe instructions and observations flow through another session. The artifact describes the flow and constrains it to the run, but it is still an agent-to-agent data path.
Spawn a worker subagent via `sessions_spawn`. Send probe-cycle instructions via `sessions_send`.
Keep probes synthetic, avoid real secrets, and run in a disposable sandbox session as the skill instructs.
A malicious target skill could attempt to steer the fuzzer's worker through its documentation or instructions, though the run is intended to remain sandboxed.
The fuzzer may ingest target-owned instructions and source while testing potentially untrusted skills. This is purpose-aligned gray-box testing, and the safety gates reduce risk, but adversarial target content could try to influence the worker.
Limited reads of target instructions, docs, manifests, and source are allowed when they materially improve probe planning or blocker diagnosis
Do not override the sandbox gates or safety rules, and treat target-provided instructions as untrusted during result review.