Agent SecuritySandbox
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: agent-securitysandbox Version: 1.0.0 The bundle defines a 'Multi-Agent Security Sandbox' (MASS) designed to isolate untrusted code execution using Docker. The documentation (SKILL.md, README.md) and configuration (assets/seccomp.json) consistently describe security-focused features such as dropping Linux capabilities, disabling network access, and blocking sensitive system calls like ptrace, mount, and clone. While the seccomp profile uses a blacklist approach and the core execution script (scripts/mass) is referenced but not provided in the snippet, the available content shows no evidence of malicious intent, data exfiltration, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used correctly, this helps contain risky code; if used without review or containment, arbitrary commands can harm the local environment.
The skill is designed to execute arbitrary user-provided commands. That is expected for a sandboxing tool, but it is a sensitive capability that should remain explicitly user-directed and contained.
./scripts/mass "<command>"
Run only specific commands the user has approved, and verify the sandbox wrapper is present and correctly configured before executing untrusted code.
Users may believe they are running code in a reviewed sandbox, while the actual sandbox runner is missing or would need to come from an unreviewed source.
The reviewed manifest contains only README.md, SKILL.md, and assets/seccomp.json, so the referenced `scripts/mass` runner is missing. The README also references installation from an external repository, leaving the security-critical implementation outside the reviewed package.
Use the `mass` script located in the skill's `scripts/` directory to wrap the command.
Do not rely on this skill until the runner script, Dockerfile, and install path are included, pinned, and reviewed as part of the package.
A user or agent could trust the sandbox more than warranted and run malicious code under incomplete or unverified isolation.
The skill makes strong safety claims, but the artifacts do not include the script or Dockerfile that would enforce the claimed Docker restrictions. This can overstate the safety of running untrusted code.
This skill provides a secure "clean room" ... restricted capabilities, no network access, and a custom seccomp profile
Treat the sandbox claims as unverified unless the complete implementation is present and confirms `--network=none`, `--cap-drop=ALL`, non-root execution, seccomp use, and disposable containers.