Skillv1.0.0

ClawScan security

the-install-sandbox · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 8:59 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's purpose (sandbox + scanner) matches its code, but there are multiple implementation inconsistencies and overstated claims (isolated tmpfs, network-off, time limits, and a missing install method) that mean the package is not what its README/SKILL.md promise without further review.
Guidance: This package appears to implement a scanner and sandbox and includes sensible detection rules, but there are notable mismatches between what the docs promise and what the code implements. Before trusting it as your gating tool: - Do not enable any auto-approve or automatic actions based solely on its output until you confirm its behavior. - Manually review or run the package locally: run its tests and exercise scan/scan-local flows (use copy_local) to verify behavior. The CLI references sandbox.install_skill which is missing — remote fetch/install may not work. - The README claims an isolated tmpfs sandbox, network-off, size/time limits, and namespaces, but Sandbox.create() only creates a directory; the implementation does not enforce tmpfs, network blocking, or timeouts. If you expect those guarantees, request or review code that mounts tmpfs, uses namespaces, or enforces resource limits. - Treat reports as advisory. Consider running scans inside a real isolated VM or container while you validate the sandboxing features. - If you want to use it in CI, require manual approval (no auto-approve) until the missing/mismatched behaviors are resolved. What would change this assessment to benign: an updated release where the code actually implements the claimed isolation (tmpfs namespace/mount, network-blocking, timeouts), the CLI's install_skill is implemented (or removed), and the registry metadata correctly reflects that the package contains code (not instruction-only).
Findings: [prompt-injection-in-doc] expected: A prompt-injection phrase (e.g., 'ignore previous instructions') was detected in the README/SKILL.md. This is used as a detection example in the README and scanner patterns; it's expected in documentation and not an attempt to override this evaluation. Still, documentation examples can trigger naive scanners.

Review Dimensions

Purpose & Capability: concernName/description and the included scanner/sandbox code broadly align: patterns, scanner, reporter, and policy exist and are coherent for a pre-install security scanner. However README/SKILL.md repeatedly claim a true tmpfs jail (50MB), network-off, time-limited sandbox and a remote fetch/install step. The Sandbox.create() implementation merely makes a directory under the system temp dir and does not mount tmpfs, enforce size limits, drop network, or implement timeouts/namespaces. Additionally, the CLI calls sandbox.install_skill(slug, sandbox_id) but Sandbox has no install_skill method. Also the registry metadata said 'instruction-only' yet the package contains setup.py and full source—this mismatch should be clarified.
Instruction Scope: noteSKILL.md and README only instruct scanning and viewing reports; they don't ask the agent to read unrelated user files or exfiltrate data. The CLI however describes a 'fetch remote skill' flow which would require network access and relies on a Sandbox.install_skill implementation that is missing. A prompt-injection pattern was detected in the documentation/examples (likely as a detection example), which could be confusing but is not an instruction to exfiltrate data.
Install Mechanism: noteNo install spec in the registry metadata (instruction-only), but a standard setup.py is present and README shows pip/git install options. There are no downloads from arbitrary URLs or extract-from-unknown-host operations. Dependencies are minimal (typer, colorama). The mismatch between 'instruction-only' metadata and present packaging code is worth asking about but not inherently unsafe.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The code scans for many credential patterns (as expected for a scanner) but does not itself request or try to read environment credentials. No disproportionate secret access is requested.
Persistence & Privilege: okThe skill does not request always:true or elevated persistent privileges. It writes reports and policy under the user's ~/.config/the_install_sandbox and uses a temp sandbox dir — this is reasonable for a scanner. It does not attempt to modify other skills or system-wide agent settings.