--- name: untrusted-binary-sandbox description: Use when asked to safely inspect, sandbox, detonate, run, or dynamically observe untrusted release artifacts, closed-source binaries, JARs, installers, wallet/private-key software, crypto trading bots, or suspicious GitHub releases. Provides a staged static-to-dynamic workflow with VM/Docker isolation, network controls, Solana wallet safety, tracing, evidence capture, and risk reporting. --- # Untrusted Binary Sandbox ## Purpose Use this skill to plan and execute controlled behavioral observation of untrusted software without trusting the software, its installer, or its documentation. Treat wallet, private-key, trading, MEV, arbitrage, and closed-source crypto tools as high-risk by default. This skill does not prove safety. It reduces uncertainty for the exact artifact, configuration, runtime, and observation window tested. ## Non-Negotiables - Do not run downloaded binaries, JARs, install scripts, release artifacts, or `curl | sh` flows unless the user explicitly approves dynamic execution. - Prefer a sacrificial VM/VPS over a production host. Never mount production secrets, SSH keys, browser profiles, Docker socket, cloud credentials, or funded wallets. - Never use a real private key during observation. Use invalid keys, empty throwaway wallets, or a tiny-fund wallet only in the final live tier after explicit approval. - Pin artifact identity before execution: source URL, version, size, SHA-256, timestamp, and any signature/digest metadata. - Keep confirmed findings separate from risk signals and unknowns. Report confidence level. ## Workflow 1. Scope the sample: Identify the artifact, claimed purpose, required command, required secrets, network endpoints, supported OS/CPU, and whether the user is asking for static analysis, dynamic observation, or production feasibility. 2. Static triage first: Hash the artifact, inspect archive contents, review scripts/configs, run `file`, `readelf`, `objdump`, `strings`, `jar tf`, or language-specific archive inspection as appropriate. Avoid `ldd` on untrusted ELF files; use `readelf -d` or `objdump -p` instead. 3. Choose the lowest sufficient tier: - Tier 0: no-run static analysis only. - Tier 1: offline Docker run with `network_mode: none`. - Tier 2: internal-only network with mock RPC/API/DNS sinks. - Tier 3: controlled egress with allowlisted endpoints and packet/DNS logging. - Tier 4: sacrificial VM/VPS with tiny-fund throwaway wallet for live behavior, only after prior tiers are clean. 4. Build containment: Use non-root users, `read_only` root filesystem, `cap_drop: [ALL]`, `no-new-privileges`, PID/CPU/memory limits, tmpfs for scratch, no host networking, no privileged mode, no host path mounts except read-only artifacts/config and writable logs. 5. Instrument before execution: Capture process tree, syscalls, opened files, filesystem writes, DNS queries, outbound connections, child processes, resource use, and any downloaded or modified files. Prefer `strace` inside Linux containers and VM-level packet capture when network is enabled. 6. Execute briefly and repeat: Start with short timeouts such as 60-180 seconds. Repeat with a known-bad config, mock RPC, then controlled egress. Preserve logs and hashes after each run. 7. Report with judgment: Summarize confirmed behavior, suspicious signals, unknowns, confidence, and a go/no-go recommendation. For wallet software, include a separate private-key exposure assessment. ## Stop Criteria Stop and report immediately if the sample: - Reads SSH keys, shell history, browser profiles, cloud credentials, `.env` files, unrelated wallet paths, or host-sensitive directories. - Writes cron/systemd/profile startup hooks, modifies shell init files, changes file permissions broadly, or downloads and executes new payloads. - Requires root, host networking, Docker socket, privileged mode, broad host mounts, or disabled sandboxing without a clear technical need. - Connects to endpoints not declared in config/docs, especially paste sites, generic file hosts, Telegram bot APIs, raw IPs, or newly registered domains. - Attempts to exfiltrate key material or sends transactions before the expected safe stage. ## Solana And Wallet-Specific Rules - Never mount `~/.config/solana/id.json` or any funded wallet. - Prefer invalid key material or an empty throwaway keypair. Do not print, transform, or store private keys in chat. - Use a local mock RPC in Tier 2. In Tier 3, allow only explicit RPC/Jito/sender endpoints. - Treat "encrypt your private key with this binary" as high-risk behavior, not as a safety feature. - Measure failed transactions, priority-fee burn, Jito tips, and RPC rate-limit pressure separately from malware risk. ## Resources - Read `references/docker-sandbox.md` when building the actual Docker or VM containment plan. - Read `references/observation-checklist.md` when preparing the final evidence report. - Use `scripts/scaffold_sandbox.py` to generate a local sandbox scaffold. It creates Docker Compose files and a mock Solana RPC service, but does not execute the sample by default. **Appropriate for:** In-depth documentation, API references, database schemas, comprehensive guides, or any detailed information that Codex should reference while working. ### assets/ Files not intended to be loaded into context, but rather used within the output Codex produces. **Examples from other skills:** - Brand styling: PowerPoint template files (.pptx), logo files - Frontend builder: HTML/React boilerplate project directories - Typography: Font files (.ttf, .woff2) **Appropriate for:** Templates, boilerplate code, document templates, images, icons, fonts, or any files meant to be copied or used in the final output. --- **Not every skill requires all three types of resources.**