Agent SecuritySandbox
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used correctly, this helps contain risky code; if used without review or containment, arbitrary commands can harm the local environment.
The skill is designed to execute arbitrary user-provided commands. That is expected for a sandboxing tool, but it is a sensitive capability that should remain explicitly user-directed and contained.
./scripts/mass "<command>"
Run only specific commands the user has approved, and verify the sandbox wrapper is present and correctly configured before executing untrusted code.
Users may believe they are running code in a reviewed sandbox, while the actual sandbox runner is missing or would need to come from an unreviewed source.
The reviewed manifest contains only README.md, SKILL.md, and assets/seccomp.json, so the referenced `scripts/mass` runner is missing. The README also references installation from an external repository, leaving the security-critical implementation outside the reviewed package.
Use the `mass` script located in the skill's `scripts/` directory to wrap the command.
Do not rely on this skill until the runner script, Dockerfile, and install path are included, pinned, and reviewed as part of the package.
A user or agent could trust the sandbox more than warranted and run malicious code under incomplete or unverified isolation.
The skill makes strong safety claims, but the artifacts do not include the script or Dockerfile that would enforce the claimed Docker restrictions. This can overstate the safety of running untrusted code.
This skill provides a secure "clean room" ... restricted capabilities, no network access, and a custom seccomp profile
Treat the sandbox claims as unverified unless the complete implementation is present and confirms `--network=none`, `--cap-drop=ALL`, non-root execution, seccomp use, and disposable containers.