Prts Sandbox
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: prts-sandbox Version: 1.0.0 The skill provides a functional interface to an internal sandbox API (protocol-spaces-api) for executing pentesting tools in an isolated Kali Linux environment. The wrapper script `sandbox-cmd.sh` uses `jq` to safely handle command arguments and provides standard lifecycle management (start, stop, reset). The `SKILL.md` instructions explicitly direct the agent to use the sandbox for risky tasks while prohibiting access to sensitive host files, aligning with security best practices for agent-based tool execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could run scans or authentication attacks against networks or services if the skill is invoked without careful user scoping.
The skill tells the agent it can run arbitrary commands and lists offensive security tools, but it does not define target authorization, approval, rate limits, or safe-use boundaries.
Running pentest tools (nmap, hydra, sqlmap, etc.) | ✅ Sandbox ... $SANDBOX exec <cmd> # Run a command inside sandbox
Require explicit user confirmation of authorized targets and scope before running pentest tools, and document limits such as allowed networks, rate limits, and prohibited attack types.
The safety of command execution depends on an unreviewed service, so users cannot verify what actually executes commands or how isolated it is.
The included code is only a wrapper to a backend API; the API server, Kali image, container configuration, and isolation controls are not included or pinned in the provided install artifacts.
API_URL="http://protocol-spaces-api:3000" ... response=$(call_api POST /execute
Include or clearly pin the backend implementation, container image digest, network and filesystem isolation settings, and declare the Protocol Spaces API dependency in metadata or install documentation.
A user may trust the sandbox more than the artifacts justify and run dangerous commands or downloaded scripts under assumptions that cannot be verified from this package.
The documentation makes a strong safety and isolation claim, but the provided artifacts do not show the container/image or enforcement mechanism behind that claim.
An isolated **Kali Linux 2025.4** container. All pentest tools and risky commands run here — never on the host.
Qualify the safety claims and provide verifiable isolation details, including what runs on the host, what runs in the sandbox, and what data or network access the sandbox has.